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EXECUTIVE  SUMMARY 


Integrated  Risk  Assessment  (IRA)  Program 

This  report  describes  the  efforts  within  the  Loss  Exposure  and  Risk  Methodology  (LERAM) 
project  during  1996-1997  to  develop  a  forward-looking  loss  system  for  the  U.S.  Coast  Guard. 

The  IRA  program  integrates  risk  assessment  and  traditional  safety  survey  activities  to  identify, 
characterize,  and  monitor  hazards  and  safeguards  from  a  risk  prioritization  perspective.  In 
addition,  the  IRA  provides  the  risk  characterization  information  needed  for  risk  management 
activities  that  are  currently  being  developed  and  integrated  into  existing  Coast  Guard 
management  practices.  Risk  characterization  information  is  obtained  from  a  variety  of  data 
sources  and  subject  matter  expert  (Coast  Guard  operations  and  maintenance  personnel) 
assessments  facilitated  by  trained  assessment  facilitators  (Coast  Guard  health  and  safety  staffs). 

The  IRA  program  is  a  systematic,  predictive  approach  for  characterizing  risks  associated  with 
operational  and  maintenance  activities  and  preventing  potential  losses.  The  program  approach  is 
to  characterize  total  risk  to  a  Coast  Guard  unit  or  facility.  Characterizing  how  inherent  hazards 
can  produce  losses,  assessing  the  types/levels  of  safeguards  needed,  developing  recommenda¬ 
tions  for  reducing  risks,  and  generating  risk  profiles  for  op  irations/facilities  enables  Coast  Guard 
leadership  to  effectively  manage  risk.  Possibly,  just  as  important,  since  operational  personnel 
characterize  the  hazard  and  safeguard  interplay  involved  with  accident  scenarios,  their 
understanding,  awareness,  will  lead  to  personal  risk  reduction  measures. 

Risk  information  is  used  to  assist  in  assessing  the  significance  and  importance  of  safeguards  for 
preventing  or  mitigating  losses.  Safeguards  can  be  ranked  based  on  their  contribution  to  the 
overall  risk  and  monitored  appropriately.  Understanding  safeguard  contributions  to  risk  enables 
the  scope  and  number  of  safety  surveys  to  be  modified  to  more  effectively  employ  trained  safety 
professionals.  In  addition,  characterizing  the  effectiveness  of  safeguards  provides  valuable 
information  to  correct,  modify,  or  eliminate  safeguards  to  reduce  risk  and  reduce  maintenance 
and  monitoring  resources. 

The  Coast  Guard  Integrated  Risk  Assessment  (IRA)  Program  addresses  risks  from  the 
perspective  deemed  most  appropriate  by  Coast  Guard  operations,  maintenance,  health  and  safety, 
and  program  personnel.  Industry  accepted  techniques,  definition,  and  measures  of  success  were 
used  as  the  basis  for  a  process  that  provides  the  Coast  Guard  with  the  means  necessary  to 


VI 


effectively  identify,  assess,  and  manage  risk.  It  is  a  scientific,  predictive  approach,  based  on  both 
historical  information  and  expert  judgment. 

The  Integrated  Risk  Assessment  program  consists  of  a  both  coarse  and  detailed  risk  analysis 
processes,  the  integration  of  risk  assessment  into  our  established  safety  survey  practice,  and 
necessary  training,  techniques,  and  tools.  The  critical  management  systems  necessary  to  support 
such  a  program  and  ensure  its  integration  into  other  critical  business  practices  are  currently  under 
development.  The  Coast  Guard’s  risk  management  program  while  being  incrementally  developed 
and  fielded  will  completely  transition  fi'om  the  research  and  development  phase  by  the  year  2001 . 

As  with  industry  and  other  government  agencies,  the  Coast  Guard  expects  risk  assessment/ 
management  methods  to  be  continuously  revised  to  account  for  different  types  of  loss  exposures, 
new  technologies  that  affect  data,  analysis,  documentation,  and  communication  of  the  results, 
and  changing  requirements. 
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1.  Introduction 


As  part  of  the  United  States  Coast  Guard’s  (Coast  Guard's)  Safety  Program,  the  Research 
and  Development  Center  (RDC)  was  requested  to  explore  flie  possibility  of  applying  system 
safety  concepts,  including  the  use  of  risk  analysis  and  the  enhancement  of  the  safety  survey 
process  with  risk-based  information,  to  improve  Coast  Guard  operations  and  facility  safety.  This 
research  was  executed  imder  the  Coast  Guard  Loss  Exposure  and  Risk  Analysis  Methodology 
(LERAM)  project.  The  Coast  Guard  RDC  teamed  with  JBF  Associates,  Inc.  (JBFA),  a 
consulting  firm  specializing  in  hazard  and  risk  analysis/management,  to  develop  a  risk-based  loss 
prevention  program  consisting  of  a  risk  assessment  methodology  (techniques  and  tools)  and  a 
risk  management  program.  This  report  documents  the  development  of  the  risk  assessment 
methodology  and  presents  the  methodology. 

Development  of  the  methodology  began  in  1995  with  the  following  objectives: 

•  Develop  practical  approaches  for  estimating  risk  exposure  for  various  Coast  Guard  activities 
so  that  managers  can  use  the  risk-based  information  in  decision  making 

•  Identify/develop  efficient  and  effective  risk  analysis  approaches  for  providing  the 
information  that  Coast  Guard  personnel  will  need  for  decision  making 

•  Demonstrate  the  effectiveness  of  the  selected  risk  analysis  approaches 

•  Enhance  the  Coast  Guard  safety  survey  process  to  make  it  more  efficient  and  effective  by 
focusing  on  significant  risks  and  reducing  emphasis  on  unnecessary  requirements 

•  Integrate  risk  analysis  and  safety  surveys  to  provide  reliable  measures  of  risk  exposure 
associated  with  Coast  Guard  missions 

The  result  of  achieving  these  objectives  is  the  Integrated  Risk  Assessment  (IRA)  process. 
The  IRA  process  provides  the  Coast  Guard  with  the  means  necessary  to  effectively  manage  and 
control  risk  at  its  units  (both  vessels  and  shore  facilities).  The  process  supplies  risk-based 
information  to  aid  Coast  Guard  personnel  in  making  tactical  as  well  as  long-term  strategic 
decisions.  It  is  a  systematic,  predictive  approach  (based  on  both  historical  information  and 
expert  judgment)  for  imderstanding  the  risk  associated  with  Coast  Guard  activities  and 
preventing  potential  losses  within  the  Coast  Guard  by: 
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•  Identifying  how  inherent  hazards  associated  with  Coast  Guard  operations/facilities  can 
produce  potential  losses 

•  Characterizing  the  risks  of  potential  losses 

•  Assessing  the  types/levels  of  safeguards  needed  to  effectively  manage  the  identified  risks 

•  Helping  to  ensure  that  safeguards  adopted  by  the  Coast  Guard  are  effectively  implemented  in 
the  field 

•  Developing  recommendations  for  reducing  risks  (i.e.,  better  safeguards  for  operations/ 
facilities) 

•  Producing  risk  profiles  for  operations/facilities  that  Coast  Guard  managers  can  use  to 
manage  Coast  Guard  risks 

As  shown  in  Figure  1.1,  the  IRA  process  has  two  distinct,  yet  closely  related,  parts;  (1)  risk 
analysis  process  (which  is  divided  into  coarse  risk  analysis  and  detailed  risk  analysis)  and  (2) 
risk-based  safety  survey  process. 


Figure  1.1  IRA  Process 

Coarse  risk  analysis  is  a  team-oriented,  high-level  (coarse),  predictive  analysis  tool  for 
identifying  hazards,  potential  mishaps  (losses),  safeguards,  risk  associated  with  the  mishaps,  and 
recommendations  for  reducing  risk.  The  coarse  risk  analysis  tool  is  designed  to  be  performed  by 
Coast  Guard  safety  professionals  who  have  received  modest  risk  assessment  training. 
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DetaOed  risk  analysis  is  a  collection  of  standard,  industry-proven,  predictive  analysis  tools 
that  can  be  used  when  specific  results  with  a  higher  degree  of  resolution  and/or  certainty  are 
required.  The  detailed  risk  analysis  tools  require  an  experienced  analyst. 

The  risk-based  safety  survey  process  is  a  process  for  systematically  ensuring  that  the 
safeguards  designed  to  control  risk  are  being  effectively  implemented  in  the  field.  The  process 
uses  risk-based  information  to  reduce  the  total  resources  required  to  effectively  control  overall 
risk  by  focusing  those  resources  on  the  issues  associated  with  the  most  significant  risks.  It 
includes  a  combination  of  field  observations  of  equipment  status  as  well  as  direct  reviews  of 
management  programs/documentation.  This  highlights  where  safeguard  implementation 
weaknesses  are  increasing  risks.  The  risk-based  safety  survey  process  also  includes  methods  for 
determining  the  root  causes  of  deficiencies.  The  process  may  be  performed  by  Coast  Guard 
safety  professionals  or  even  unit  safety  supervisors  who  have  modest  training. 

The  remainder  of  this  report  is  divided  into  six  sections.  Section  2  (Backgroimd)  discusses 
(1)  the  circumstances  that  have  led  the  Coast  Guard  to  explore  the  development  of  a  risk 
assessment  process,  (2)  risk  fundamentals,  and  (3)  the  purpose  and  benefits  of  a  risk  assessment 
process.  Section  3  (Guiding  Principles)  discusses  the  10  principles  the  RDC  and  JBFA  followed 
during  the  development  of  a  Coast  Guard  risk  assessment  process.  Next,  Section  4  (IRA  Process 
Description)  familiarizes  the  reader  with  the  final  results  of  the  Coast  Guard  risk  assessment 
process  development  by  providing  a  brief  explanation  of  the  various  parts  of  the  IRA  process. 

The  approach  used  to  develop  the  IRA  process,  as  well  as  the  results  of  validating  the  process, 
are  discussed  in  Section  5  (IRA  Process  Development).  A  discussion  of  future  work  that  will 
focus  on  Coast  Guard  risk  management  systems  is  included  in  Section  6  (Future  Development). 
Section  7  (Concluding  Remarks)  contains  final  thoughts  about  the  IRA  process.  The  attachments 
to  this  report  include  the  IRA  Manual  (which  fully  dociunents  the  IRA  process)  and  example 
applications  of  the  IRA  process  on  vessel  and  shore  assets 

Note:  During  the  course  of  this  research  project,  the  term  ‘‘hazard  analysis  "  was  changed 
to  "risk  analysis  ”  to  better  describe  the  process.  Therefore,  the  term  "hazard  analysis  ”  will  be 
found  in  many  previous  letters,  reports,  and  other  work  products  related  to  this  project.  These 
previous  references  to  hazard  analysis  should  now  be  interpreted  as  references  to  risk  analysis. 
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2.  Background 

History  of  Risk  Assessment 


Modem  risk  assessment  has  roots  in  probability  theory  and  scientific  methods  for  identifying 
causal  links  between  adverse  health  effects  and  different  types  of  hazardous  activities.  In  1792, 
Pierre  Simon  de  LaPlace  demonstrated  a  modem  quantitative  risk  assessment  by  calculating  the 
probability  of  death  associated  with  and  without  receiving  the  smallpox  vaccination.  Insurance 
may  be  one  of  the  oldest  strategies  for  dealing  with  risk.  In  1950  B.C.,  the  Code  of  Hamurabi 
formalized  bottomry  contracts  containing  a  risk  premium  for  the  chance  of  loss  of  ships  and 
cargo  and  in  1583  the  first  life  insurance  policy  was  issued  in  London. 

til  th 

Risk  mitigation  measures  in  the  form  of  water  and  garbage  sanitation  in  the  19  and  20 
centuries  were  extremely  successful  in  decreasing  the  risk  of  mortality  and  morbidity.  Along 
similar  lines,  building  and  fire  codes,  boiler  testing  and  inspection,  and  safety  engineering  on 
steamboats,  railroads  and  automobiles  greatly  contributed  to  public  safety.  A  whole  field  of  risk 
management  was  developed  based  on  common  sense  risk  analysis,  which  increased  the  longevity 
and  generally  improved  the  quality  of  life  for  most  citizens  in  industrialized  countries. 

Conceptual  development  of  modem  risk  analysis  in  the  United  States  and  other  industrially 
developed  countries  rose  from  the  potentially  catastrophic  consequences  and  uncertainty 
associated  with  high  hazard  industries  such  as  nuclear  power,  chemical  processing,  aviation,  and 
modem  weapon  systems.  In  addition,  increased  awareness  and  demand  for  public  safety  in 
industrialized  environments  led  governments  to  establish  agencies  similar  to  om  Environmental 
Protection  Agency,  Occupational  Safety  and  Health  Administration,  and  the  National  Institute  for 
Occupational  Safety  and  Health. 

Evolution 

Formal  risk  assessment  studies  initially  focused  on  the  potential  causes  and  consequences  of 
major  events  that  could  involve  large  numbers  of  injuries  or  economic  impact,  such  as  explosions 
and  release  of  toxic  substances.  Typically,  a  risk  assessment  focused  on  ways  that  equipment 
failures,  software  problems,  human  errors,  and  external  factors  (e.g.,  weather)  contributed  to 
losses.  Risk  assessments  typically  did  not  include  industrial  health  and  safety  issues,  although 
these  can  significantly  contribute  to  the  total  losses  experienced  by  an  organization. 
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These  initial  assessment  techniques  are  characterized  by  a  strong  emphasis  on  quantitative 
information.  This  initial  emphasis  continues  to  have  a  strong  influence  on  the  thinking  of  many 
risk  management  practitioners,  in  that  qualitative  assessments  involve  human  judgement,  thus  are 
inherently  unreliable  or  inaccurate.  These  initial  techniques  were  designed  to  scientifically 
address  all  aspects  of  complex  systems  and  facilitate  analysis  and  what-if  scenarios  to  be 
considered  independent  of  human  analysis. 

As  experience  was  gained  in  the  field  of  risk  assessment,  and  more  industries  began  to  see  the 
benefits  of  assessing  loss  exposure,  less  expensive  and  more  robust  methods  were  needed  to 
offset  the  expertise  and  data  requirement  demands  of  strictly  quantitative  techniques.  Semi- 
quantitative  techniques  were  developed  to  incorporate  subject  matter  expertise  with  hard  data. 

As  engineered  systems  became  more  reliable  and  accident  scenario  and  risk  contribution 
awareness  grew,  emphasis  began  shifting  toward  human  performance  and  management  systems. 
These  contributors  had  the  potential  to  effect  a  wide  variety  of  loss  scenarios  and  their  failure 
rates  were  not  well  understood. 

Perspective 

There  are  a  variety  of  ways  to  describe  risk  and  many  definitions  are  products  of  established 
manufacturing  and  health  industries.  Chemicals  risks,  for  example,  are  traditionally  viewed  in 
terms  of  acute  toxicity,  subchronic  and  chroinc  toxity,  cancer  potency,  dose  vs.  response,  and 
exposure.  Chemical  risk  assessments  often  address  the  establishment  of  concentrations  that 
could  be  tolerated  by  most  people  without  adverse  health  effects.  Environmental  awareness  has 
broadened  the  perspective  of  chemical  risk  assessment  to  include  impacts  to  the  environment  that 
may  or  may  not  impact  public  health. 

Coast  Guard  Safety  Experience 

The  Coast  Guard,  like  many  organizations,  adheres  to  a  traditional  safety  program 
emphasizing  prescriptive  codes,  mishap  (loss  or  accident)  reporting,  and  incident  investigations. 
The  basic  risk  analysis  tools  that  the  Coast  Guard  has  traditionally  relied  upon  are  the  warning 
flags  obtained  from  reported  mishaps,  single  significant  events,  hazardous  condition 
notifications,  and  periodic  safety  audits.  Anomalies  in  mishap  trends,  significant  losses, 
anomalous  safety  audit  findings,  and  reported  hazards  are  benchmarked  against  the  Coast  Guard 
“corporate  experience.” 
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Over  time,  the  Coast  Guard  has  made  a  series  of  improvements  to  the  mishap  reporting 
procedures  to  provide  greater  resolution  of  the  factors  involved  in  losses  and  to  help  ensure 
consistently  accurate  reporting.  The  organization  has  strived  to  address  such  issues  as  human 
errors,  the  importance  of  root  causes,  the  importance  of  management’s  risk  acceptance  level,  and 
the  shortcomings  of  electronic  databases. 

The  Coast  Guard  realized  that  government  downsizing,  rapidly  changing  technologies, 
increased  system  complexities,  rising  construction  and  repair  costs,  high  turnover  rates,  and  ever- 
changing  high-risk  operations  may  erode  the  low  incident  rate  and  good  safety  record  of  its 
traditional  safety  program.  To  address  these  new  challenges,  the  Coast  Guard  decided  to  make  a 
concerted  effort  to  understand  and  apply  industry-proven  loss  prevention  and  risk  management 
practices  to  its  operations  and  facilities.  This  effort  involves  developing  a  risk-based  loss 
prevention  program  for  the  Coast  Guard,  which  includes  risk  assessment  techniques  and  tools 
under  the  umbrella  of  an  overall  risk  management  program. 

The  Coast  Guard  initially  focused  on  developing  risk  assessment  techniques  and  tools  (the 
topic  of  this  report).  Before  going  any  fiirther,  it  is  advantageous  to  briefly  discuss  risk,  risk 
assessment,  and  risk  management. 

Risk  is  defined  as  the  combination  of  the  expected  fretiuency  and  consequence  of  losses  that 
could  occur  as  a  result  of  an  activity.  Understanding  risk  includes  addressing  the  following  three 
questions: 

•  What  can  go  wrong? 

•  How  likely  is  it? 

-  •  What  are  the  impacts? 

Therefore,  analyzing  risk  involves  identifying  losses  of  interest  (What  can  go  wrong?), 
estimating  the  frequency  of  occurrence  (How  likely  is  it?),  and  evaluating  the  potential 
consequences  (What  are  the  impacts?). 

Risk  cannot  be  completely  eliminated;  however,  it  can  be  managed.  Many  risks  are  accepted 
as  a  cost  of  doing  business.  In  controlling  losses,  it  is  important  to  (1)  understand  the  associated 
risks,  (2)  understand  the  means  used  to  control  the  risks,  (3)  understand  the  level  of  acceptable 
risk  (accepted  cost  of  doing  business),  and  (4)  identify  and  manage  safeguards  to  reduce 
unacceptable  risk. 
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Risk  assessment  is  the  systematic  process  of  identifying  potential  losses  and  characterizing 
the  frequencies  and  severities  of  those  losses.  This  process  focuses  on  imderstanding  loss 
exposure  based  on  existing  conditions/protections  (safeguards)  as  well  as  generating 
recommendations  for  additional  safeguards  as  appropriate. 

Risk  management  is  the  use  of  Coast  Guard  management  policies,  procedures,  and  practices 
(management  systems)  to  control  Coast  Guard  risks.  Figure  2.1  shows  the  relationship  between 
risk  management  with  risk  assessment  (IRA  process)  and  Coast  Guard  management  systems  used 
to  control  risk.  (Attachment  A,  Sections  1  through  3,  contain  more  detailed  information  on  risk, 
risk  assessment,  and  risk  management.) 


Policies 

Procedures 

Information  management 

Training 

Supervision 

Communications 

Design  guides/requirements 

Quality  assurance 

Maintenance 

Management  of  change 

Acquisitions 

Accounting/budgeting 

Contigency  planning 

Etc. 


Figure  2.1  Risk  Management 

In  general,  there  are  two  approaches  to  managing  risk.  One  could  be  called  the  fly-fix-fly 
approach.  This  technique  of  not  taking  action  until  an  accident  occurs  has  been  proven  to  be 
quite  costly  in  terms  of  personnel  injuries,  property  damage,  and  environmental  consequences. 
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The  second  approach  could  be  called  the  proactive  approach.  This  approach,  with  risk 
assessment  as  a  cornerstone,  allows  management  the  opportunity  to  eliminate  or  reduce  risks  to 
an  acceptable  level  before  losses  occur. 

While  the  Coast  Guard  is  encouraged  to  operate  with  fewer  and  fewer  resources  (both 
equipment  and  personnel),  more  emphasis  is  placed  on  controlling  losses  and  reducing  loss 
exposure.  The  Coast  Guard  cannot  afford  to  operate  under  a  fly-fix-fly  philosophy.  It  recognizes 
the  advantages  of  developing  measures  to  understand  how  losses  occur,  and  it  is  committed  to 
designing  and  maintaining  safeguards  (e.g.,  policies,  procedures,  systems,  equipment)  to  prevent 
these  losses  from  occurring  (a  proactive  approach  to  loss  prevention). 

A  risk  assessment  methodology  is  a  proactive  tool  used  for  controlling  losses  and  reducing 
loss  exposure.  The  risk-based  information  from  a  risk  assessment  process  (1)  provides  decision 
makers  with  the  ability  to  focus  resources  in  the  most  effective  and  efficient  manner  to  reduce 
losses  and  (2)  helps  them  make  strategic  and  operational  decisions  that  reduce  loss  exposure 
(e.g.:  Can  the  operation  be  performed  safely  in  these  conditions?  Should  equipment  A  or  B  be 
purchased?  Should  equipment  C  be  maintained  more  often  than  equipment  D?).  The  RDC  and 
JBFA  developed  the  IRA  process  (risk  analysis  process  and  risk-based  safety  survey  process)  to 
fulfill  the  Coast  Guard’s  risk  assessment  needs. 

Table  2. 1  shows  two  perspectives  on  Coast  Guard  risk  management.  One  is  Coast  Guard 
risk  management  from  a  historical  perspective  (before).  The  other  perspective  is  Coast  Guard 
risk  management  after  implementation  of  the  IRA  process  (after).  The  table  includes  the 
approach  for  achieving  risk  understanding  and  risk  control  and  the  cost  and  effectiveness  of  risk 
management. 
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Table  2.1  Comparison  of  Risk 


Risk  Understanding 

Risk  Control 

Approach 

Approach 

Before 

Historical 

Reactive 

•  using  past  mishap 

•  historical  event 

information  for 

focus 

addressing 
potential  losses 

•  fly-fix-fly 

After 

Predictive 

Proactive 

•  using  historical 

•  predicted  event 

information  and 

focus 

expert  judgment  to 
predict  potential 

•  root  cause  focus 

losses 

•  based  on 

historical 
information  as 
well  as  expert 
judgment 

Risk  Management 
Effectiveness 


Cost  to  the  Coast  Guard 


•  manages  historically 
repeated  events 

•  will  not  adequately 
predict  and  prevent 
losses  that  have  not 
occurred  previously  or 
identify  and  correct 
root  causes 

•  no  risk  prioritization  to 
direct  management  of 
safeguards 

•  higher  loss  exposure 
due  to  changes  from 
historical  operations 
and  uncorrected  root 
causes 

•  manages  both 
historical  events  and 
other  future  high  risk 
events 

•  identifies  and  corrects 
root  causes 

•  prioritizes  safeguards 
to  reduce  resources 
required  for  safeguard 
management 

•  lower  loss  exposure 
due  to  proactive  loss 
prevention 


High 

•  significant  effort  for 
collection  and 
management  of 
information  related  to 
safeguard  management 

•  must  ensure  all 
safeguards  (regardless 
of  associated  risk)  are 
maintained  at  the  same 
level 

•  losses  due  to  recurring 
losses  and  xmcorrected 
root  causes 


Moderate 

•  risk  analysis  requires 
higher  initial  setup 
cost 

•  focused  information 
collection  and 
safeguard  management 
based  on  risk-based 
prioritization  of 
safeguards 

•  reduced  cost  of  losses 
due  to  a  proactive  loss 
prevention  approach 
and  the  elimination  of 
root  causes 


3.  Guiding  Principles 


To  develop  the  risk  assessment  process  (the  IRA  process),  the  RDC  and  JBFA  followed  10 

guiding  principles.  They  are  as  follows: 

(1)  Consistent  with  Coast  Guard  culture  —  The  risk  assessment  process  must  be  consistent 
with  the  Coast  Guard  management  style,  data-keeping  strategies,  and  intemal/extemal 
regulatory  requirements. 

(2)  Generically  applicable  to  all  types  of  Coast  Guard  operations  and  facilities  —  The 
process  must  be  capable  of  assessing  various  types  of  vessels  and  their  operations  as  well  as 
shore  facilities  and  their  operations. 

(3)  Flexible  enough  not  to  overwork  or  underwork  an  issue  —  The  process  must  be  capable 
of  assessing  an  issue  at  the  appropriate  level  of  detail  required  to  provide  adequate  results 
for  Coast  Guard  decision  making. 

(4)  Practical  for  Coast  Guard  personnel  to  implement  —  The  process  should  not  be 
unnecessarily  complicated.  Coast  Guard  personnel  who  have  moderate  risk  analysis  training 
should  be  capable  of  successfully  using  the  process. 

(5)  Designed  to  make  maximum  use  of  existing  Coast  Guard  processes  and  information 
—  The  process  should  not  “re-invent  the  wheel.”  Existing  Coast  Guard  processes  and 
information  should  be  integrated  into  the  risk  assessment  process  where  appropriate. 

(6)  Based  on  solid  risk  assessment  fundamentals  —  The  foundation  for  the  process  should 
be  built  on  solid  risk  assessment  fundamentals  that  have  been  proven  over  time  across  a 
variety  of  applications. 

(7)  Based  on  predictive  reasoning  techniques  as  well  as  historical  perspective 
techniques  —  The  process  must  be  capable  of  identifying  the  means  by  which  losses  occur 
(before  they  occur)  and  provide  the  Coast  Guard  with  information  that  will  allow  it  to 
implement  measures  to  prevent  these  losses  from  occurring.  The  process  must  also  take 
advantage  of  past  mishap  information  to  help  the  Coast  GKiard  control  future  losses. 

(8)  Useful  to  all  branches  of  the  Coast  Guard  in  their  decision  making  —  The  process 
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should  produce  results  that  are  easily  understood  and  are  useful  to  all  levels  of  Coast  Guard 
management. 

(9)  Focused  on  eliminating  root  causes  of  problems,  not  just  symptoms  —  The  process 
should  identify  root  causes  of  deficiencies  and  losses  and  provide  the  Coast  Guard  with  the 
information  necessary  to  prevent  these  root  causes. 

(10)  Useful  in  focusing  Coast  Guard  analysis,  prevention,  and  corrective  action  resources 
on  the  most  significant  risks  —  The  risk-based  information  produced  by  the  process 
should  help  the  Coast  Guard  efficiently  and  effectively  allocate  its  limited  resources  in 
reducing  loss  exposure. 

Following  these  guiding  principles  when  developing  the  IRA  process  produced  efficient  and 
effective  risk  assessment  techniques/tools  for  the  Coast  Guard. 

4.  IRA  Process  Description 

The  IRA  process  consists  of  two  subprocesses;  (1)  risk  analysis  and  (2)  risk-based  safety 
survey.  Figure  4. 1  is  a  representation  of  the  BRA  process.  Ellipses  such  as  “Coast  Guard  loss 
experience”  are  types  of  information  used  in  the  risk  analysis  and  risk-based  safety  survey 
processes.  Hexagons  such  as  “Risk  profiles”  are  types  of  information  these  processes  provide  to 
Coast  Guard  management  for  risk-based  decision  making. 


Figure  4.1  Integrated  Risk  Assessment  (IRA)  Process 
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This  section  briefly  discusses  the  main  elements  of  the  IRA  process  and  the  steps  involved 
in  performing  the  process.  Sections  4  through  8  of  Attachment  A,  Integrated  Risk  Assessment 
(IRA)  Manual,  provide  a  more  detailed  description  of  the  process  as  well  as  the  detailed  steps  for 
performing  the  process. 

4.1  Risk  Analysis  Process 

The  objectives  for  performing  risk  analyses  include: 

•  Fewer  losses  over  the  life  of  platforms/facilities 

•  Reduced  consequences  when  losses  occur 

•  Improved  training  and  understanding  of  system  interactions  and  the  effect  of  the  human 
element 

•  More  efficient  and  productive  mission  execution 

A  risk  analysis  involves: 

•  Identifying  hazards  systematically 

•  Postulating  combinations  of  equipment  failures/human  errors/extemal  events  that  allow 
the  hazards  to  cause  losses 

•  Characterizing  the  risks  of  the  potential  losses 

•  Identifying  the  most  significant  contributors  to  risk 

•  Providing  summaries  of  risks  (profiles)  associated  with  various 
platforms/operations/functions 

•  Developing  effective  recommendations  for  better  management  of  the  known  risks 

The  risk  analysis  process  of  the  IRA  process  includes  a  set  of  tools  (coarse  and  detailed  risk 
analyses)  for  performing  different  types  of  hazard/risk  analysis  at  various  levels  of  detail. 

4.1.1  Coarse  Risk  Analysis 

Coarse  risk  analysis  is  the  cornerstone  and  workhorse  of  the  risk  analysis  methodology  for 
the  Coast  Guard.  It  is  designed  to  be  performed  by  Coast  Guard  personnel  and  to  satisfy  most  of 
the  Coast  Guard’s  needs  for  hazard/risk  information  in  a  practical  and  efficient  manner.  This 
method  provides  all  of  the  types  of  results  of  more  detailed  evaluations,  but  with  a  lower  degree 
of  resolution.  The  coarse  risk  analysis  methodology  was  developed  from  the  hazard  and 
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operability  analysis  technique  used  by  the  petrochemical  industry.  The  methodology  uses  a  team 
approach  for  postulating  upsets  to  normal  operations  that  could  lead  to  undesirable 
consequences.  The  following  are  characteristics  of  a  coarse  risk  analysis: 

•  Generally  applicable  to  all  types  of  Coast  Guard  platforms 

•  Capable  of  satisfying  60%  to  90%  of  the  Coast  Guard’s  hazard/risk  analysis  needs 
without  requiring  the  use  of  more  detailed  techniques 

•  Streamlined  enough  for  efficient  application  without  requiring  extremely  extensive 
evaluations 

•  Can  be  used  by  Coast  Guard  personnel  who  have  modest  risk  analysis  experience 

•  Built  on  solid  hazard  evaluation  fundamentals  that  use  not  only  historical  perspective 
but  also  predictive  reasoning 

4.1.1.1  Coarse  Risk  Analysis  Steps 

Before  discussing  the  steps  of  the  coarse  risk  analysis,  here  are  some  definitions  of  terms 
that  are  important  in  understanding  the  steps  of  the  analysis: 

Operation/evolution  —  a  specific  operation  performed  in  support  of  a  Coast  Guard  mission 

(e.g.,  boarding  a  vessel) 

Function  —  a  distinct  activity  that  supports  one  or  more  operations/evolutions  (e.g.,  operating 
vessels/craft) 

Deviation  —  an  off-normal  condition  or  situation  that  has  the  potential  to  result  in  a  mishap 
(loss) 

(e.g.,  incorrect  position/direction/speed) 

There  are  five  major  steps  in  performing  a  coarse  risk  analysis: 

(1)  Determine  the  scope  of  the  coarse  risk  analysis  —  This  step  includes  determining  the 
equipment,  system,  unit,  etc.,  to  be  analyzed.  More  specifically,  it  identifies  the 
operations/evolutions  and  functions  of  the  Coast  Guard  unit  to  be  considered  in  the  analysis. 
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(2)  Screen  low  risk  operations/evolutions,  functions,  deviations,  and  locations  —  In  this 
step,  the  operations/evolutions  and  functions  are  reviewed  at  a  high  level  to  eliminate  lower 
risk  issues  from  further  analysis. 

(3)  Analyze  deviations  —  Analyzing  deviations  includes  identifying  causes,  mishaps  (losses), 
and  safeguards  applicable  to  each  deviation  within  the  scope  of  the  analysis.  This  step  also 
includes  estimating  risk  associated  with  deviations  and  developing  recommendations  for 
reducing  risk. 

(4)  Generate  a  risk  profile  —  This  step  involves  using  the  data  collected  in  Step  3  to 
characterize  the  risk  for  the  Coast  Guard  unit  being  analyzed.  Some  examples  of  these 
characterizations  are  presented  in  the  next  section. 

(5)  Evaluate  the  benefit  of  risk  reduction  recommendations  —  Step  5  determines  the  benefit 
of  implementing  the  risk  reduction  recommendations  developed  during  the  analysis. 
Information  from  this  step  helps  Coast  Guard  managers  decide  which  recommendations  to 
implement  and  in  what  order. 

These  steps  are  discussed  in  significant  detail  in  Section  5  of  Attachment  A.  The  current  set 
of  operations/evolutions,  functions,  and  deviations  for  vessels  and  shore  facilities  can  be  foimd  in 
Section  9  of  Attachment  A. 

4.1.1.2  Coarse  Risk  Analysis  Results 

The  coarse  risk  analysis  produces  various  results  that  enable  Coast  Guard  personnel  to  make 
risk-based  decisions  and  improve  the  management  of  risks  associated  with  Coast  Guard 
missions.  Below  is  a  sample  of  the  types  of  risk-based  management  information  available  from 
the  coarse  risk  analysis.  Section  5  of  Attachment  A  contains  detailed  instructions  for  obtaining 
these  results  and  additional  results  that  can  be  obtained  from  this  technique.  Attachments  B  and 
C  provide  an  example  of  a  coarse  risk  analysis  for  a  Coast  Guard  vessel  and  shore  facility, 
respectively. 

An  example  of  the  data  collected  during  a  coarse  risk  analysis  is  shown  in  Figure  4.2.  These 
results  document  the  potential  loss  (mishap)  scenarios  associated  with  specific 
operations/evolutions  and  functions.  These  scenarios  are  based  on  possible  deviations  that  may 
occur.  Included  are  characterizations  of  the  risk  associated  with  the  scenario  using  a  combination 
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of  frequency  categories  and  mishap  severity  levels  to  estimate  risk  as  a  dollar/year  loss 
considering  potential  safety,  economic,  mission,  and  environmental  losses.  Risk  is  expressed  as 
a  risk  index  number  (RIN),  which  is  the  dollar/year  loss  divided  by  10,000.  RIN  is  calculated  by 
using  an  average  mishap  cost  and  the  lower  bounds  of  the  estimated  frequency  range  of 
occurrence.  The  risk  (dollar/year  loss)  is  shown  within  parentheses  under  the  RIN.  Finally,  a 
certainty  estimate  is  assigned  to  the  risk  characterization. 


Coarse  Risk  Analysis 

Operation/Evolution:  Working  aids  to  navigation 

Function:  Operating  lifting  equipment 

Deviation 

Causes 

Mishaps 

Frequency 

RINt 

(Risk*) 

Certainty 

Safeguards 

Recommendations 

M 

B 

B 

1.1  Loss  of 
support 

Crane  cable/ 
rigging  failure 

Loss  of 
power  to  the 
crane 

Structural 
failure  in 
buoy  during 
lifting 

Equipment 

damage/loss 

Hazardous 

exposure; 

contact  injury 

(dropped 

objects, 

broken  lines, 

etc.) 

2 

5 

0.063 

($630) 

High 

Boom  is 

inspected 

annually 

Crew  inspects 
crane  daily  and 
cable  annually 

Consider  a  formal 
preventive 
maintenance 
program  for  crane 
rigging  and 
hardware 

Consider  further 
investigation  of  the 
same,  particularly 
during  loss  of  power 

t  Risk  Index  Number 

*  Estimated  dollar/year  loss  considering  safety,  economic,  mission,  and  environmental 
losses. 


Figure  4.2  Identifrcation  of  Hazards  and  Their  Associated  Risk 


Figure  4.3  shows  the  number  of  loss  scenarios  (deviations)  that  are  estimated  to  occur  at  a 
certain  frequency  and  result  in  a  certain  magnitude  of  loss  (class  of  mishap).  The  frequency  is 
represented  by  a  frequency  category.  For  example,  for  the  Class  C  mishap  category  in  Figure  4.3, 
fifteen  different  deviations  are  considered  Probable  (Frequency  Category  4).  This  risk  profile  is 
developed  from  the  risk  information  collected  during  the  coarse  risk  analysis  (as  shown  in  Figure 
4.2). 
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Class  of  Mishap 

A/BCD 


Figure  4.3  Risk  Matrix  Characterizing  a  Coast  Guard  Unit 


A  risk  histogram  of  the  operations/evolutions  of  a  vessel  is  shown  in  Figure  4.4.  The  risk 
contribution  or  contribution  of  the  operation/evolution  to  overall  vessel  risk  is  presented.  This 
information  can  be  used  to  identify  the  higher  risk  operations/evolutions.  Similar  histograms  are 
typically  developed  for  functions,  types  of  deviations,  types  of  mishaps  (losses),  locations,  etc.  A 
category  with  a  low  risk  level  may  be  an  indication  of  the  safeguard  levels  designed  to  eliminate 
or  mitigate  the  risk  of  an  inherently  dangerous  operation/evolution  and  not  just  relatively  safe 
operation  or  evolution. 

Vessel  leaving 
or  returning 

Towing 


Boarding 

Small  boat  launch/recovery: 

from  vessel 

Helicopter 
operations 

0.1  1  10  100 
Percent  of  Total  Risk 

Figure  4.4  Percentage  of  Total  Risk  of  Operations/Evolutions 
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Figure  4.5  displays  an  estimated  frequency  range  of  mishaps  (losses)  per  year  and  expected 
number  of  mishaps  over  50  years  for  a  typical  vessel  in  a  vessel  class.  The  table  also  includes  the 
estimated  frequency  for  mishaps  for  the  entire  vessel  class. 


Vessel 

Class 

Typical  Vessel 
Frequency  Bounds  for 
Mishaps  (per  year) 

Typical  Vessel 
Expected  Number  of 
Occurrences  over  50  Years 

Vessel  Class 
Frequency  Bounds 
for  Mishaps  (per  year) 

A/B 

c 

D 

A/B 

C 

D 

A/B 

C 

D 

Vessel 
Class  1 

0.13 
to  1.3 

1.4 
to  14 

26  to 
261 

7  to  65 

70 

to  700 

1300  to 
13000 

1.3 
to  13 

14  to 
140 

261  to 
2610 

Vessel 
.Class  2 

0.002  to  0.03 

0.2 
to  2 

7  to 

70 

10%  chance 
to  2 

10  to 
100 

350  to 
3500 

0.014  to 
0.21 

1.4 

10  14 

49  to 
490 

Figure  4.5  Range  of  Mishap  Frequencies  for  Assets 


Table  4.1  shows  two  example  recommendations  developed  by  a  coarse  risk  analysis  team 
and  the  estimated  change  in  RIN  of  associated  coarse  risk  analysis  deviations  if  the 
recommendations  are  implemented.  Change  in  RIN  is  determined  by  estimating  changes  to  the 
risk  characterizations  (See  Figure  4.2).  Shown  within  parentheses  imder  the  RIN  is  risk 
expressed  as  dollar/year  loss.  A  positive  number  represents  savings  due  to  implementation  of  the 
recommendation.  A  negative  number  represents  loss  due  to  implementation.  Change  in  RIN  is 
also  used  to  produce  results  such  as  those  in  Figure  4.6. 
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Table  4.1  Coarse  Risk  Analysis  Recommendations 


Recommendation 

Change 

inRINH 

(Risk*) 

Recommendation  A  —  Consider  modifying  the  ammunition  dredger  hoist  to  avoid  crushing 
rounds  and  to  incorporate  personnel  safety  features,  especially  in  regard  to  protecting 
hands/limbs.  At  least  one  significant  personnel  injury  has  occurred  in  the  fleet  while  operating  the 
hoist.  This  hazard  is  more  pronounced  in  the  lower  ammunition  magazine  serviced  by  the  hoist.  At 
that  location,  personnel  run  the  risk  of  (1)  catching  one  or  both  hands  in  the  hoist’s  folding  cover 
doors  when  loading  an  ammunition  round,  resulting  in  possible  minor  injury,  or  (2)  having  one  or 
both  hands  severely  injured  if  caught  in  the  folding  doors  and  the  hoist  subsequently  moves  upward, 
which  would  occur  if  the  operator’s  foot  were  to  slip  off  a  control  pedal  preventing  hoist  movement. 
The  team  also  noted  that  hoist  movement  is  stopped  by  contacting  interlock  switches  (these 
interlocks  may  not  be  imder  any  maintenance  program).  If  these  interlocks  fail,  an  ammunition 
round  may  be  crushed.  Therefore,  consider  incorporating  maintenance  reviews  of  the  ammunition 
dredger  hoist  into  the  Maintenance  and  Logistics  Command  (MLC)  health  and  safety  assessment 
process. 

0.3 

($3,000) 

Recommendation  B  —  Consider  modifying  the  guides  that  keep  the  floating  dock  in  place  to  (1) 
help  prevent  damage  to  the  piles  and  (2)  reduce  the  potential  for  personnel  injury  during 
maintenance  (being  caught  between  the  guide  and  piles).  The  guides  were  designed  for  a 
cylindrical  wood  pile.  The  current  piles  are  octagonal  (or  some  other  multisided  geometric  shape) 
and  are  made  of  concrete.  The  shape  and  design  of  the  guides  damage  the  piles  and  require  frequent 
maintenance.  A  new  guide  design  suited  for  the  piles  design  should  be  chosen. 

H  Risk  Index  Number 

*  Estimated  dollar/year  savings  if  the  recommendation  is  implemented. 


Figure  4.6  displays  the  cost  of  implementing  recommendations  (shown  in  the  boxes)  as 
compared  to  the  range  of  benefit  (cost  savings  shown  by  the  range)  gained  from  the  risk 
reduction.  This  range  reflects  the  uncertainty  of  the  frequency  estimates  in  the  analysis.  This 
information  aids  decision  makers  when  determining  whether  or  not  to  implement  a 
recommendation  and  in  what  order  to  implement  recommendations. 
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Recommendations 

*  A  reasonable  estimate  of  savings  is  only  possible  after  further  review. 

^  Savings  estimate  assumes  a  $300,000  average  cost  of  Class  A/B  mishaps,  a 
$30,000  average  cost  of  Class  C  mishaps,  and  a  $3,000  average  cost  of  Class  D 
mishaps. 

♦  Estimated  total  cost  of  implementing  recommendation. 


Note:  Savings  shown  account  for  50-year  life  of  a  vessel. 

Figure  4.6  Cost/Benefit  Analysis  for  Implementing  Risk 
Reduction  Recommendations 


4.1.2  Detailed  Risk  Analysis 

Detailed  risk  analysis  techniques  are  standard,  industry-proven  hazard/risk  analysis  methods 
providing  better  resolution  of  potential  loss  scenarios  and  more  certainty  in  risk  characterization 
of  loss  scenarios.  For  this  reason,  the  IRA  process  includes  an  assortment  of  detailed  risk 
analysis  tools  that  can  be  used  for  specific  Coast  Guard  applications.  Table  4.2  presents  these 
techniques  and  the  rationale  for  their  selection.  These  methods  typically  require  more  advanced 
levels  of  training  for  successful  application  and  are  used  only  when  more  detailed  analysis  is 
warranted.  Considering  the  high  cost  of  maintaining  qualified  evaluators  and  the  expected 
relative  low  frequency  of  their  use,  the  Coast  Guard  will  typically  contract  out  for  a  detailed  risk 
analysis. 
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Table  4.2  Detailed  Risk  Analysis  Techniques 


Technique 

Rationale  for  Selection 

What"if/Checklist 

The  simplicity  and  universal  applicability  of  what-if^checklist  analysis  made  it  a  natural 
choice  for  detailed  hazard/risk  analysis  within  the  Coast  Guard 

WISE  Analysis 

(Worker  and  Instruction 

Safety  Evaluation  Analysis) 

The  extensive  nature  of  human  involvement  (especially  procedural  tasks)  in  virtually  every 
Coast  Guard  mission/operation  makes  tools  for  thoroughly  evaluating  human  error  very 
important.  The  WISE  analysis  methodology  combines  into  one  technique  an  awareness  of 
how  people  can  impact  processes  and  how  processes  can  affect  people 

HAZOP  Analysis 

(Hazard  and  Operability 
Analysis) 

This  technique  is  similar  in  nature  to  WISE,  but  is  more  applicable  to  fluid  and  thermal 
systems,  which  are  abundant  on  Coast  Guard  vessels.  It  provides  a  more  structured  approach 
than  a  what-if/checklist  analysis  to  identifying  hazard  and  operability  problems  stemming 
from  system  deviations 

FMEA 

(Failure  Mo^^es  and  Effects 
Analysis) 

The  Coast  Guard  uses  mechanical  and  electrical  systems/equipment  extensively,  making 

FMEA  a  natural  choice  for  these  applications  when  a  less  structured  what-ifrchecklist 
analysis  may  be  inadequate.  (Although  HAZOP  analysis  could  be  useful  for  analyzing  Coast 
Guard  fluid  and  thermal  systems,  FMEA  can  be  equally  effective  in  such  applications  for 

Coast  Guard  systems) 

FTA/ETA 

(Fault  Tree  Analysis  and 

Event  Tree  Analysis) 

Because  the  Coast  Guard  has  several  systems  with  built-in  redundancy  and  multiple  levels  of 
safeguards,  modeling  techniques  for  identifying  complex  combinations  of  equipment  failures 
and  human  errors  will  be  important  for  some  situations.  FTA/ETA  are  the  most  widely 
recognized  and  universally  applicable  techniques  for  these  situations 

HRA 

(Human  Reliability  Analysis) 

The  importance  of  human  errors  in  Coast  Guard  operations  and  the  complexity  of  some 
operations/procedures  make  HRA  potentially  usefbl  for  special  situations  as  a  supplement  to 
other  techniques  (especially  WISE  analysis) 

CCFA 

(Common  Cause  Failure 
Analysis) 

When  a  situation  is  complex  enough  to  require  FTA/ETA,  the  potential  for  common  cause 
failures  cannot  be  overlooked.  CCFA  should  always  be  applied  (in  some  level  of  detail)  with 
FTA/ETA 

Section  7  of  Attachment  A  discusses  the  detailed  risk  analysis  techniques  in  more  detail. 
Attachments  D  and  E  are  examples  of  a  detailed  risk  analysis  performed  for  the  Coast  Guard. 


4.2  Risk-based  Safety  Survey  Process 

Although  risk  analyses  are  useful  for  determining  what  types  and  levels  of  protection  should 
be  in  place  to  effectively  control  the  risks  of  potential  losses,  the  benefits  of  such  analyses  can  be 
realized  only  if  proper  field  implementation  of  the  planned  protections  is  accomplished. 
Traditional  safety  surveys  are  typically  audits  using  a  systematic  process  (e.g.,  checklist)  to  assess 
compliance  with  requirements.  They  help  to  manage  risk  by  ensuring  that  requirements 
specifying  protections/safeguards  are  being  implemented  correctly. 

The  risk-based  safety  survey  process  uses  predictive  as  well  as  historical  risk  information  to 
focus  survey  resources  on  issues  associated  with  the  most  significant  risks.  A  risk-based  safety 
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survey  helps  the  organization  manage  risk  by  ensuring  that  both  intemal/extemal  requirements 
specifying  protections/safeguards  and  other  safeguards  identified  in  the  coarse  risk  analysis  are 
being  implemented  correctly  (See  Figure  4.7).  The  process  also  includes  methods  for  determining 
the  root  cause  of  deficiencies  and  focusing  corrective  action  resources  on  the  most  significant 
risk  issues. 


Coarse  Risk 
Analysis 

Safeguard 

Boom  is 

inspected 

annually 


Risk-based  Safety  Survey 

Evaluation  Point 

Requirement 

Are  booms  tested 

COMDTINST 

annually? 

M90006.B 

Is  the  date  of  the  last 

COMDTINST 

boom  test  stenciled  near 
the  label  plate  in  a 
location  where  it  is 
clearly  legible? 

M90006.B 

Figure  4.7  Basis  for  the  Risk-based  Safety  Survey  Process 
The  objectives  of  the  risk-based  safety  survey  process  include: 

•  Focusing  survey  attention  on  the  most  significant  risks 

•  Providing  more  objective  prioritization  of  findings  than  traditional  surveys 

•  Allowing  more  efficient  use  of  survey  resources 

•  Resolving  root  causes  of  findings 

•  Developing  safeguard  dependability  information 

•  Improving  Coast  Guard  standards  and  requirements 

A  risk-based  safety  survey  involves: 

•  Focusing  field  observations  and  reviews  on  the  most  risk  significant  areas 

•  Identifying  nonconformances  to  requirements  as  well  as  nonconformance  trends 
through  interviews  with  personnel,  field  observations,  and  documentation  reviews 

•  Determining  the  underlying  root  cause(s)  of  findings 


21 


•  Prioritizing  the  findings  and  resolving  higher  risk  findings  first  to  efficiently  and 
economically  use  resources 

•  Tracking  the  resolution  of  findings  to  ensure  recommendations  for  correcting  problems 
are  resolved  in  a  timely  maimer 

The  risk-based  safety  survey  process  places  the  responsibility  and  authority  for  ensuring  that 
planned  protections  are  in  place  and  working  effectively  on  the  xmit  commanding  officers  and 
their  staffs.  The  units  must  understand  the  required  protective  measures  and  make 
implementation  a  high  priority  for  effective  loss  prevention.  The  risk-based  safety  survey 
process  assumes  that  acceptance  of  this  basic  obligation  exists  and  that  imits  are  conducting  their 
own  self-surveys  to  verify  their  conformance  with  established  requirements  to  supplement  risk- 
based  safety  surveys  by  third  parties  (e.g.,  MLC  personnel  independent  of  the  unit  being 
evaluated).  These  third-party  surveys  complement  (not  replace)  imit  self-surveys. 

4.2.1  Risk-based  Safety  Survey  Steps 

There  are  five  major  steps  in  the  risk-based  safety  survey  process: 

(1)  Plan  a  safety  survey  —  Planning  a  survey  involves  identifying  the  scope  of  the  survey  and 
preparing  for  the  survey.  A  key  factor  in  the  planning  process  is  the  risk  prioritization  of  the 
evaluation  points  (checklist  items).  The  risk  associated  with  each  evaluation  point  is  determined 
by  combining  information  from: 

•  an  applicable  coarse  risk  analysis  using  the  link  shown  in  Figure  4.7, 

•  past  mishaps  (losses),  and 

•  past  safety  survey  findings. 

(2)  Assess  the  requirements/evaluation  points  and  record  findings  —  This  task  is  the  actual 
survey  of  the  unit.  Survey  team  members  canvass  the  unit,  reviewing  evaluation  points.  The 
survey  includes  equipment  inspections,  personnel  interviews,  and  documentation  reviews. 
Findings  are  deficiencies  in  meeting  the  intent  of  an  evaluation  point. 

(3)  Identify  root  causes  of  findings  —  Determining  the  underlying  causes  of  a  deficiency  and 
correcting  them  helps  to  ensure  that  the  deficiency  does  not  occur  again  and  prevents  the 
underlying  causes  from  contributing  to  other  types  of  deficiencies  and  losses. 
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Root  cause  analysis  should  be  performed  at  some  level  of  detail  for  each  finding.  For  some 
findings,  the  simple  question  “why?”  is  enough  to  determine  a  root  cause.  Other  findings 
may  require  more  rigor  (e.g.,  5  Whys  technique,  Root  Cause  Map™  technique)  to  find  the 
root  causes.  The  level  of  detail  and  the  number  of  findings  investigated  with  root  cause 
analysis  is  left  to  the  discretion  of  the  survey  team. 

(4)  Determine  the  risk  impact  of  findings  —  This  step  of  the  process  involves  assigning  a 
relative  risk  weighting  to  each  finding  that  characterizes  the  finding's  potential  impact  on  unit 
risk  (from  the  coarse  risk  analysis).  This  step  uses  the  relationship  shown  in  Figure  4.7.  Risk 
impact  is  the  foundation  for  prioritizing  the  findings  for  resolution  and  other  tasks  in  the  safety 
survey  process. 

(5)  Document  the  results  and  resolve  the  findings  —  The  safety  survey  visit  is  concluded 
with  an  outhrief  highlighting  the  results  of  the  survey.  The  results  are  also  documented  in  a  safety 
survey  report  that  is  submitted  to  the  unit  command,  and  the  findings  are  documented  in  a 
findings  database.  These  steps  are  discussed  in  significant  detail  in  Section  8  of  Attachment  A. 


4.2.2  Risk-based  Safety  Survey  Results 

The  risk-based  safety  sinvey  process  provides  feedback  about  the  effectiveness  of  safeguards 
designed  to  control  risk  of  potential  losses.  This  feedback  is  in  the  form  of  findings.  Figure  4.8 
is  an  example  of  determining  the  risk  impact  of  a  finding.  All  findings  from  a  risk-based  safety 
survey  would  be  analyzed  and  prioritized  so  they  can  be  resolved  in  a  cost-effective  manner  and 
so  that  higher  risk  issues  are  addressed  first.  Section  8  of  Attachment  A  provides  the  details  of 
obtaining  this  risk-based  safety  survey  result  and  others.  Attachment  F  provides  an  example  of  a 
risk-based  safety  survey  that  was  performed  on  a  Coast  Guard  vessel. 

Figure  4.8  shows  the  determination  of  the  risk  impact  of  a  risk-based  safety  survey  finding. 
The  method  for  this  determination  involves  estimating  the  change  in  risk  of  tiie  coarse  risk 
analysis  deviation(s)  associated  with  the  evaluation  point  if  the  finding  (deficiency  in  a  safeguard) 
is  left  uncorrected.  The  revised  frequency  scores  in  Figure  4.8  represent  the  characterization  of 
the  coarse  risk  analysis  deviation  if  the  finding  is  left  uncorrected.  The  change  in  RIN  (with  risk 
expressed  within  parentheses  as  increased  dollar/year  loss)  is  associated  with  a  risk  impact  level. 
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Finding 

Evaluation 

Point 

Affected  Deviation 
(Operation/ 
Evolution 

Fimction 

Deviaticxi) 

Baseline 

Frequency 

Scores 

Revised 

Frequency 

Scares 

Change 
in  RINt 
(Risk*) 

Risk  Impact 

A/B 

B 

B 

A/B 

B 

B 

No  record 

of  a  crane 

inspection 

being 

performed 

for  2 

years 

N003 

Woricing  aids  to 
navigation 

Operating  lifting 
equipment 

Loss  of  support 

2 

3 

1 

5 

6 

1 

9.0 

($90,000) 

Medium 

t  Risk  Index  Number 

*  Estimated  economic  risk  Impact  based  on  a  change  in  risk  of  an  associated  coarse 
risk  analysis  deviation. 


Figure  4.8  Risk  Impact  of  a  Risk-based  Safety  Survey  Finding 

Figure  4.9  is  an  example  of  the  results  of  a  root  cause  analysis  of  a  finding.  There  were  two 
root  causes  discovered  for  this  finding,  and  two  actions  were  suggested. 


Finding 

Root  Cause(s) 

Suggested  Actions 

Portable  winch  cable  had 
not  been  weight  tested  in 
3  years 

Background 

Three  years  ago.  the 
Coast  Guard  vessel 
purchased  two  portable 
winches  for  engine  room 
maintenance.  The 
vessel  had  previously 
not  had  this  type  of 
equipment  in  Its 
inventory 

No  policy  or  procedure  to 
ensure  new  acquisitions 
are  added  to  the  vessel 
test  and  inspection 
program 

No  policy  or  procedure 
requiring  personnel  to 
verify  that  certifications 
were  up-to-date  before 
using  equipment 

Develop  guidance  for 
adding  new  acquisitions 
to  appropriate  equipment 
logs  such  as  test  and 
Inspection  programs 

Develop  guidance 
verifying  certifications  of 
equipment  before  use, 
and  train  personnel  on 
the  guidance 

Figure  4.9  Results  of  a  Root  Cause  Analysis 


4.3  Risk  Analysis  and  Risk-based  Safety  Survey  Process  Integration 

The  risk  analysis  and  risk-based  safety  survey  processes  are  tightly  integrated  through  an 
exchange  of  important  risk  information.  Figure  4. 10  shows  the  information  exchanges.  The 
integration  of  the  two  processes  improves  the  Coast  Guard’s  ability  to  manage  the  risks 
associated  with  its  operations. 
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Figure  4.10  IRA  Information  Exchanges 


4.4  Making  Decisions  Using  the  IRA  Process 

The  IRA  process  is  a  management  tool  that  can  be  used  at  each  stage  of  the  life  cycle  of 
activities  to  make  decisions.  The  specific  part  of  the  IRA  process  used  will  depend  on  the  type  of 
risk-based  information  required  for  the  decision  a  Coast  Guard  manager  is  trying  to  make.  As  an 
example.  Table  4.3  provides  vessel  life  cycle  activities,  how  the  risk-based  information  fi'om  the 
IRA  process  may  be  used  to  make  decisions,  and  example  outcomes  of  using  the  information. 

Sections  5  and  8  of  Attachment  A  expand  this  table  to  include  specific  element(s)  of  the  IRA 
process  that  help  make  these  decisions. 
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Risk  Analysis 


Table  4.3  Uses  of  the  IRA  Process  for  Vessel  Life  Cycle  Activities 


Use  of  IRA  Process 

Example  Outcomes 

Procurement 

Identification  of  major  hazards  and  associated  risks  (including 
human  factors  issues)  and  required  controls  while  developing 
bid  specifications  for  major  acquisitions  (e.g.,  new  vessels  or 
major  onboard  systems) 

Requiring  built-in  redundancy  for  specific  components  of  a 
vessel’s  automated  navigation  system 

Risk-based  selection  among  competing  design  alternatives  for 
major  acquisitions 

Determining  (and  documenting)  that  Design  A  provides  “best 
value”  to  the  Coast  Guard  because  it  poses  significantly  less  risk 
of  major  losses  than  Design  B,  which  is  slightly  less  expensive 

Construction,  Fabrication,  and  Commissioning 

Identification  of  design  weaknesses,  safe  operating  limits, 
critical  preventive  maintenance  tasks,  human  factors  issues, 
etc.,  for  selected  systems  (i.e.,  those  that  could  lead  to  losses  of 
interest)  after  the  final  design  is  complete  for  major  acquisitions 

Requiring  an  audible  alarm  and  semiarmual  calibration  of 
fathometers  for  a  vessel 

Evaluation  of  proposed  changes  and  identified 
nonconformances  from  the  approved  design 

Approving  a  proposed  field  change  (or  a  recognized 
nonconformance)  in  the  routing  of  a  high-pressure  steam  line 
because  the  new  routing  poses  no  identifiable  increase  in  risks  to 
personnel  or  equipment 

Vessel  Operations  and  Maintenance 

Identification  of  precautions  to  be  taken  in  performing 
operations  outside  of  prescribed  limits  (casc-by-case  basis  for 
decisions  made  by  vessel-board  personnel) 

Establishing  more  stringent  maneuvering  restrictions  and 
additional  watch  requirements  for  performing  search  and  rescue 
(SAR)  operations  in  extreme  weather  conditions  that  would 
normally  cause  discontinuation  of  the  operation 

Identification  of  precautions  to  be  taken  in  preparation  for 
performing  operations  when  relevant  vessel  systems  will  be 
unavailable  (case-by-case  basis  for  operations/cfliciencics 
identified  by  vessel-board  personnel) 

Posting  additional  watches  and  conducting  special  operations 
briefings  before  conducting  an  operation 

Evaluation  of  proposed  changes  and  identified 
nonconformances  from  the  standard  vessel  configuration  (casc- 
by-casc  basis  for  changes  suggested  and  approved  by  vessel- 
board  personnel) 

Rejecting  a  request  to  temporarily  store  equipment  on  the  deck 
while  a  storage  locker  is  being  replaced  because  the  movement  of 
the  equipment  under  expected  high  seas  could  lead  to  losses  of 
interest 

Identification  of  weaknesses  in  procedures  that  could  lead  to 
losses  of  interest  (case-by-case  basis  for  procedures  developed 
and  approved  by  vessel-board  personnel) 

Revising  vague  steps  of  a  procedure  (e.g.,  “open  the  valve 
slightly”)  because  a  human  error  associated  with  the  operation 
could  lead  to  a  loss  of  interest 

Area,  District,  or  Group  Management  of  Operations  and  Maintenance 

Identification  of  design  weaknesses,  safe  operating  limits, 
critical  preventive  maintenance  tasks,  human  factors  issues, 
etc.,  for  selected  systems  (i.e.,  those  that  could  lead  to  losses  of 
interest)  aboard  existing  ships  that  did  not  receive  such  reviews 
before  being  placed  in  operation 

Recommending  redesign  of  a  small  craft  launching  system 
component  that  could  inadvertently  trigger  a  release  of  a  boat 
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Table  4.3  Uses  of  the  IRA  Process  for  Vessel  Life  Cycle  Activities  (conUd) 


Use  of  IRA  Process 

Example  Outcomes 

Area,  District,  or  Group  Management  of  Operations  and  Maintenance  (cont’d) 

Identification  of  safe  operating  limits  (from  an 
operations/command  perspective  rather  than  a  hardware  system 
design  perspective,  which  was  addressed  during  design 
reviews)  and  preferred  precautions  to  be  taken  if  operating 
outside  of  such  restrictions 

Prohibiting  aircraft  fueling  operations  and  other  flammable 
material  handling  activities  until  disabled  onboard  firefighting 
systems  arc  returned  to  service,  but  allowing  emergency  fueling 
operations  if  another  onboard  pump  can  be  rigged  to  temporarily 
provide  adequate  firefighting  cqiability 

Identification  of  critical  training  topics,  standard  procedures 
necessary,  etc.,  for  preventing  losses  of  interest 

Deciding  to  write  a  special  procedure  and  conduct  special  training 
for  the  proper  way  to  launch  a  new  type  of  small  craft  (because 
the  operation  is  significantly  different  from  similar  operations  with 
older  small  craft) 

Identification  of  weaknesses  in  procedures  and  human  factors 
issues  that  could  lead  to  losses  of  interest  (for  standard 
procedures  applicable  to  a  class  of  vessels  or  the  entire  fleet) 

Making  the  units  of  pressure  referenced  in  a  procedure  (e.g.,  SI 
units)  consistent  with  those  commonly  used  aboard  a  vessel  and 
on  the  vessel’s  gauges  (e.g.,  English  units)  to  help  prevent 
confusion  that  could  lead  to  an  operating  error 

Evaluation  of  proposed  changes  for  standard  vessel 
configurations  (case-by-case  basis  for  changes  approved  by 
group/flect  officers) 

Deciding  (1)  against  a  crew  reduction  aboard  a  WMEC-270  cutter 
because  of  unacceptable  risks  associated  with  degraded  watch 
standards  or  (2)  in  favor  of  a  crew  reduction,  provided  that  each 
vessel  is  equipped  with  new  navigation  and  vessel  detection 
systems 

Monitoring  profiles  of  risks  for  classes  of  vessels  across  the 
Coast  Guard  to  help  understand/manage  risks  at  a  fleet  level 

Determining  that  a  specific  class  of  vessel  is  the  next  to  receive  a 
major  overhaul  (or  replacement)  program  because  of  high  loss 
rates 

Assigning  measures  of  importance  to  safety  inspection  items  to 
help  prioritize  responses  to  noted  deficiencies 

Deferring  resolution  of  a  few  deficiencies  noted  during  a  safety 
inspection  until  next  fiscal  year  because  the  deficiencies  do  not 
pose  any  significant  risks  of  losses 

Risk-based  selection  (including  consideration  of  other  factors, 
such  as  cost)  among  competing  alternatives  such  as  vessel 
deployment,  mission  assignments,  etc. 

Deciding  to  send  Vessel  A  on  an  extended  international  tour 
because  the  potential  for  losses  associated  with  (1)  its  tour  and  (2) 
its  absence  from  its  normal  station  are  less  than  those  for  Vessel  6 

Decommissioning 

Risk-based  selection  (including  consideration  of  other  factors, 
such  as  cost  and  political  pressure)  among  competing 
alternatives  for  vessel/station  decommissioning 

Deciding  (and  gaining  support  for  the  decision)  to  decommission 
Vessel  B  instead  of  Vessel  A,  even  though  there  is  some  political 
support  for  keeping  Vessel  B  in  service 

Identification  of  weaknesses  in  equipment  used  for 
decommissioning  and  associated  procedures  that  could  lead  to 
losses  of  interest 

Modifying  the  equipment  and  procedures  used  to  de-inventory 
hazardous  materials  from  a  vessel  while  the  vessel  is  being 
decommissioned 
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5.  IRA  Process  Development 


The  Coast  Guard  recognized  the  potential  benefit  in  using  risk-based  information  to  support 
decisions  concerning  the  management  and  control  of  its  assets.  The  RDC  committed  to 
developing  a  risk  assessment  process  for  providing  this  risk-based  information.  In  1995,  the  RDC 
teamed  with  JBFA  to  develop  and  test  a  Coast  Guard  risk  assessment  process,  which  became  the 
IRA  process. 

The  RDC  and  JBFA  used  a  three-phased  approach  to  develop  the  IRA  process.  Below  is  a 
brief  description  of  each  phase. 

Phase  1  —  identification  of  the  Coast  Guard’s  risk-based  information  needs,  development  of  the 
coarse  risk  analysis  technique,  identification  of  relevant  detailed  risk  analysis  tools,  development 
of  the  fi-amework  for  the  risk-based  safety  survey  process,  test  applications  of  the  coarse  and 
detailed  risk  analyses,  and  development  and  training  of  Coast  Guard  safety  professionals  on  the 
coarse  risk  analysis  technique. 

Phase  2  —  refinement  of  the  coarse  risk  analysis  process,  development  of  the  risk-based  safety 
survey  process,  integration  of  the  two  processes  into  the  IRA  process,  validation  of  the  IRA 
process  on  Coast  Guard  vessels,  revisions  to  the  training  course  developed  in  Phase  1,  and 
training  of  additional  Coast  Guard  personnel. 

Phase  3  —  modification  of  the  IRA  process  for  use  on  shore  facilities  and  validation  of  the  IRA 
process  on  Coast  Guard  shore  facilities. 

The  following  sections  discuss  each  of  the  project  phases,  including  the  approach,  results, 
and  lessons  learned  (issues)  associated  with  each  phase. 

Reminder:  During  the  course  of  this  research  project,  the  term  “hazard  analysis”  was 
changed  to  “risk  analysis”  to  better  describe  the  process.  Therefore,  the  term  “hazard  analysis  ” 
will  be  found  in  many  previous  letters,  reports,  and  other  work  products  related  to  this  project. 
These  previous  references  to  hazard  analysis  should  now  be  interpreted  as  references  to  risk 
analysis. 


28 


5.1  Phase  1 


The  RDC  and  JBFA  met  with  Coast  Guard  decision  makers  and  safety  professionals  to  gain 
understanding  of  the  current  Coast  Guard  processes  used  for  assessing  risk  and  the  Coast  Guard’s 
expectations  for  a  risk  assessment  methodology.  From  these  discussions,  the  RDC  and  JBFA 
proposed  that  the  risk  assessment  methodology  consist  of  two  elements:  (1)  a  risk  analysis 
process  and  (2)  a  risk-based  safety  survey  process.  In  general,  the  risk  analysis  process  would 
identify  risks  and  provide  risk  reduction  measures  where  appropriate,  and  the  risk-based  safety 
survey  process  would  enhance  the  current  safety  survey  process  with  risk-based  information  to 
help  ensure  that  the  safeguards  designed  to  reduce  risk  are  effectively  implemented  in  the  field. 
The  objectives  of  Phase  1  were  to  (1)  develop  and  test  a  risk  analysis  methodology  and 
(2)  develop  the  fi-amework  for  a  risk-based  safety  survey  process. 

5.1.1  Risk  Analysis 

From  discussions  with  Coast  Guard  decision  makers  and  safety  professionals,  the  Coast 
Guard  required  a  risk  analysis  methodology  that  would  meet  its  risk-based  information  needs 
without  overworking  or  underworking  the  issues.  To  accomplish  this,  the  RDC  and  JBFA 
considered  a  methodology  that  could  analyze  issues  at  two  levels  of  detail.  The  methodology 
would  include  (1)  a  coarse  risk  analysis  (streamlined  analysis)  for  assessing  most  situations  and 
(2)  a  set  of  detailed  risk  analysis  techniques  for  specific  situations  requiring  better  resolution  of 
results  and/or  higher  certainty  in  risk  characterization  of  scenarios. 

5.1.1.1  Coarse  Risk  Analysis 

Approach 

Once  the  Coast  Guard’s  coarse  risk  analysis  needs/expectations  were  identified,  the  RDC 
and  JBFA  began  investigating  what  hazard  evaluation  technique  (or  combination  of  techniques) 
would  best  serve  the  Coast  Guard  as  the  basis  for  its  coarse  risk  analysis  approach.  A  collection 
of  widely  accepted  hazard  evaluation  approaches  were  considered  (e.g.,  checklist  analysis,  the 
traditional  safety  review,  what-if  analysis,  the  traditional  process  risk  analysis,  relative  ranking 
tools,  FMEA,  and  HAZOP  analysis).  Multiple  approaches/formats  were  tested  to  determine  how 
well  they  might  meet  the  Coast  Guard’s  needs.  Through  this  refinement  process,  the  RDC  and 
JBFA  developed  a  proposed  coarse  risk  analysis  process  for  the  Coast  Guard,  recognizing  that, 
based  on  test  applications,  additional  revisions  and  improvements  of  the  process  would  likely  be 
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necessary.  The  proposed  process  was  primarily  based  on  the  HAZOP  analysis  technique  used  in 
the  petrochemical  industry. 

HAZOP  is  an  inductive  approach  that  uses  a  very  systematic  process  for  postulating 
deviations  from  the  design  intent  for  sections  of  systems  and  ensuring  that  appropriate  safeguards 
are  in  place  to  help  prevent  losses.  The  approach  generates  qualitative  descriptions  of  potential 
losses  (deviations,  causes,  mishaps,  and  safeguards)  as  well  as  lists  of  recommendations  for 
reducing  risks.  HAZOP  was  easily  adapted  to  incorporate  frequency  estimates  for  potential 
losses  and  the  operations/evolutions  and  ftmctions  of  Coast  Guard  units. 

The  RDC  and  JBFA  tested  the  proposed  coarse  risk  analysis  to  evaluate  the  effectiveness 
and  efficiency  of  the  methodology  by  working  with  three  different  teams  of  Coast  Guard  personnel. 
These  teams  participated  in  mock  risk  analysis  sessions,  testing  various  parts  of  the  proposed  coarse 
risk  analysis  process.  The  lessons  learned  from  the  test  application  were  used  to  modify  the 
proposed  process,  and  the  baseline  coarse  risk  analysis  process  was  created. 

As  a  test  of  the  baseline  methodology,  the  RDC  and  JBFA  performed  a  coarse  risk  analysis 
on  two  vessel  platforms,  the  USCGC  KENNEBEC  (a  WLIC-160  vessel)  and  the  USCGC 
HARRIET  LANE  (a  WMEC-270  vessel). 

In  addition  to  testing  the  methodology,  the  Coast  Guard  wanted  to  ensure  that  Coast  Guard 
safety  professionals  could  be  trained  to  perform  the  coarse  risk  analysis  process.  To  accomplish 
this,  the  RDC  and  JBFA  developed  a  week-long  training  course  that  included  discussions  on  risk 
and  general  risk  analysis  as  well  as  training  on  performing  the  coarse  risk  analysis  process.  This 
training  course  was  conducted  for  both  MLC-Pacific  (MLC-PAC)  and  MLC-Atlantic  (MLC- 
LANT)  safety  professionals  and  included  simulated  analyses  aboard  actual  Coast  Guard  vessels. 

Results 

In  general,  the  test  applications  of  the  methodology  on  USCGCs  KENNEBEC  and  HARRIET 
LANE  proceeded  very  well.  For  a  high-level  analysis,  the  coarse  risk  analysis  methodology 
effectively  highlighted  the  most  significant  risk  contributors  and  provided  enough  detail  to 
develop  meaningful  recommendations  for  reducing  risk.  The  results  of  the  analyses  provided  the 
Coast  Guard  with  the  appropriate  level  of  detail  for  making  risk-based  decisions. 
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The  training  session  was  successful  in  teaching  Coast  Guard  safety  professionals  to  perform 
the  coarse  risk  analysis  process.  During  the  session,  the  safety  professionals  provided  valuable 
feedback  concerning  the  methodology  that  the  RDC  and  JBFA  could  use  to  improve  the 
effectiveness  and  efficiency  of  the  process.  A  workshop  was  conducted  at  the  end  of  the  week, 
providing  the  safety  professionals  with  the  opportunity  to  use  the  analysis  technique  on  several 
vessel  activities.  The  workshop  successfully  demonstrated  that  the  coarse  risk  analysis  process 
was  sufficiently  structured  to  be  used  by  Coast  Guard  personnel  who  have  modest  risk  analysis 
experience. 

The  RDC  and  JBFA  planned  to  refine  the  coarse  risk  analysis  process  in  Phase  2  and  modify 
the  process  where  appropriate  for  integration  with  the  proposed  risk-based  safety  survey  process. 

Lessons  Learned 

Two  significant  issues  arose  during  Phase  1 ; 

( 1 )  While  testing  the  baseline  coarse  risk  analysis  (and  also  during  the  training  session),  the 
RDC  and  JBFA  found  that  it  worked  best  to  focus  the  analysis  on  one  operation/evolution  at 
a  time.  The  baseline  methodology  was  restructured  to  provide  tiiis  focus.  This  is  in  contrast 
to  evaluating  abnormal  conditions  (deviations)  across  all  operations/evolutions 
simultaneously.  The  modification  improved  the  subject  matter  experts’  understanding  and 
participation  in  the  analysis. 

(2)  As  the  baseline  coarse  risk  analysis  was  tested,  it  was  apparent  that  a  software  tool  was 
needed  to  help  perform  the  analysis,  maintain  the  analysis  data,  and  manipulate  the  analysis 
data  into  various  results. 

5.1. 1.2  DetaUed  Risk  Analysis 

Approach 

Many  types  of  detailed  risk  analysis  techniques  (both  qualitative  and  quantitative  in  nature) 
have  been  developed  over  the  past  30  to  40  years  to  help  analysts  in  a  variety  of  industries 
systematically  assess  the  hazards  in  their  activities  and  the  levels  of  risk  associated  with  those 
hazards.  The  RDC  and  JBFA  investigated  what  hazard  evaluation  techniques  would  best  serve 
the  Coast  Guard  as  detailed  risk  analysis  tools  in  specific  situations.  Rather  than  spending 
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resources  trying  to  create  new  techniques  (or  significantly  customizing  existing  techniques)  for 
the  Coast  Guard,  the  RDC  and  JBFA  approached  this  phase  of  the  risk  analysis  project  by 
recommending  that  the  Coast  Guard  adopt  a  small  set  of  the  widely  recognized,  standard  hazard 
evaluation  techniques  that  provide  a  broad  range  of  analysis  capabilities  as  part  of  the  Coast 
Guard’s  overall  risk  analysis  system.  The  rationale  for  using  “off-the-shelf’  techniques  included 
the  following  points: 

•  Existing  detailed  risk  analysis  techniques  have  been  repeatedly  used  in  a  variety  of 
applications  with  strong  histories  of  success  when  techniques  are  prudently  selected  for 
analysis  applications 

•  The  coarse  risk  analysis  methodology  will  satisfy  most  of  the  Coast  Guard’s  hazard 
evaluation  needs;  therefore,  detailed  risk  analysis  methodologies  are  somewhat  less 
important  and  do  not  warrant  the  resources  required  to  create  specialized  tools 

•  The  expected  use  of  outside  contractors  (in  larger  analyses)  to  support  Coast  Guard 
hazard  evaluation  needs  is  simplified  when  standard  analysis  approaches  are  specified 

•  Users/reviewers  of  risk  analysis  results  have  greater  confidence  in  the  quality  of  results 
when  widely  recognized  methodologies  are  followed 

To  demonstrate  the  effectiveness  of  a  detailed  risk  analysis  technique,  the  RDC  and  JBFA 
reviewed  WMEC-270  small  boat  operations  and  WLIC-160  aids  to  navigation  (ATON)  deck 
operations  using  several  techniques.  Because  these  activities  were  included  in  the  testing  of  the 
baseline  coarse  risk  analysis,  choosing  them  provides  an  opportunity  to  compare  detailed  risk 
analysis  results  and  coarse  risk  analysis  results. 

Results 

The  standard  list  of  detailed  risk  analysis  techniques  was  identified.  This  list  is  documented 
in  Section  4. 1 .2  of  this  report,  Table  4.2.  Section  7  of  Attachment  A  contains  a  detailed 
discussion  of  these  techniques. 

The  assessment  of  WMEC-270  small  boat  operations  was  performed  using  the  WISE 
analysis  technique  coupled  with  a  human  error  (error-likely  situation)  review  and  a  procedural 
review.  The  analysis  confirmed  the  risk  assessment  performed  by  the  coarse  risk  analysis. 
However,  the  detailed  study  provided  a  more  focused  review  of  small  boat  operations  and  thus 
developed  recoimnendations  that  the  coarse  risk  analysis  would  not  have  produced  (nor  should 
have  produced  due  to  the  level  of  resolution  needed  from  the  coarse  risk  analysis).  The  analysis 
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was  very  successful  in  demonstrating  the  benefits  of  detailed  risk  analysis.  Attachment  D 
contains  the  results  of  this  detailed  risk  analysis. 

The  detailed  analysis  of  WLIC-160  ATON  deck  operations  was  performed  using  the  what-if 
analysis  technique.  This  technique  was  considered  most  appropriate  to  ATON  operations 
because  (1)  personnel  experienced  in  ATON  operations  were  available  for  valuable 
brainstorming  discussions  and  (2)  more  structured  analysis  techniques  (such  as  HAZOP  or 
FMEA)  were  not  needed  to  assess  the  risks  associated  with  the  complexity  of  this  operation.  As 
expected,  the  what-if  analysis  refined  the  coarse  risk  analysis  results  with  more  detailed 
descriptions  of  specific  causes  of  certain  mishaps  and  additional  recommendations  for  risk 
reduction.  This  analysis  was  also  a  successful  demonstration  of  a  detailed  analysis  technique. 
Attachment  E  contains  the  results  of  this  detailed  risk  analysis. 

Lessons  Learned 

The  detailed  risk  analysis  process  worked  well,  and  no  significant  issues  arose  as  a  result  of 
Phase  1. 


5.1.2  Risk-based  Safety  Survey 

Approach 

The  Coast  Guard  relies  heavily  on  conformance  to  safety  standards  to  ensure  the  safety  of  its 
personnel  and  assets.  Safety  professionals  within  the  Coast  Guard  are  very  familiar  with  the 
safety  standards  and  their  application.  The  Coast  Guard  wishes  to  capitalize  on  this  corporate 
knowledge  to  improve  safety  standards  and  imit  risk  assessments. 

The  RDC  and  JBFA  met  with  Coast  Guard  safety  professionals  to  determine  the  current 
state  of  assessing  and  implementing  safety  standards.  The  RDC  and  JBFA  sought  to  imderstand 
how  the  safety  standards  could  be  organized  and  prioritized  from  a  risk  impact  perspective  to 
improve  the  Coast  Guard  safety  survey  process.  The  Coast  Guard  desired  to  maximize  the 
benefit  of  safety  surveys  while  reducing  the  amount  of  time  required  by  the  Coast  Guard  safety 
professionals  to  perform  safety  surveys. 

The  RDC  and  JBFA  polled  private  industry  and  the  Navy  to  understand  their  approach  to 
performing  safety  surveys  and  using  safety  survey  information.  As  a  result  of  this  investigation. 
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the  RDC  and  JBFA  identified  two  significant  ways  to  meet  the  Coast  Guard’s  desires:  (1)  focus 
safety  surveys  on  higher  risk  issues  and  (2)  prioritize  safety  survey  findings  for  efficient 
resolution. 

The  RDC  and  JBFA  investigated  ways  to  focus  safety  surveys  on  the  higher  risk  issues  by 
prioritizing  the  survey  evaluation  points  according  to  the  risk.  The  most  logical  method  for  this 
prioritization  appeared  to  be  by  using  risk-based  information  fi*om  the  risk  analysis  process. 
Focusing  on  the  higher  risk  issues  ensures  an  effective  survey  of  the  dominant  risk  contributors 
while  potentially  reducing  the  work  load  of  the  safety  professionals.  Also,  reviewing  the  risk 
associated  with  evaluation  points  can  eliminate  requirements  that  add  little  value  to  the  safety 
survey  process. 

The  RDC  and  JBFA  also  investigated  methods  to  effectively  and  efficiently  focus  Coast 
Guard  resources  on  resolving  findings  (or  deficiencies)  identified  as  a  result  of  the  safety  survey. 
A  method  is  needed  for  prioritizing  findings  so  that  resources  can  be  focused  on  high  risk  issues. 
To  prioritize  findings,  the  risk-based  information  from  the  risk  analysis  process  can  be  used  for 
determining  the  impact  a  finding  has  on  the  risk  of  a  Coast  Guard  unit.  Once  the  risk  impact  of  a 
finding  is  determined,  the  Coast  Guard  can  identify  a  resolution  order. 

Results 

The  RDC  and  JBFA  proposed  a  framework  for  a  risk-based  safety  survey  process.  The 
process  developed  from  this  framework  would  meet  the  Coast  Guard’s  risk-based  information 
needs  and  desires  for  an  efficient  and  effective  safety  survey  process.  The  risk-based  safety 
survey  process  would  be  developed  and  validated  in  Phase  2.  Where  appropriate,  the 
development  would  focus  on  integration  with  the  risk  analysis  process. 

Lessons  Learned 

The  risk-based  safety  survey  fi’amework  was  developed,  and  no  significant  issues  arose  as  a 
result  of  Phase  1. 

5.2  Phase  2 

The  objectives  of  Phase  2  were  to  refine  the  risk  analysis  process,  formalize  the  risk-based 
safety  survey  process,  integrate  the  processes  into  the  IRA  process,  train  Coast  Guard  personnel 
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to  conduct  a  risk  analysis  and  a  risk-based  safety  survey,  and  validate  the  IRA  process  on  vessel 
applications.  The  work  on  the  risk  analysis  process  consisted  of  refinement  of  the  coarse  risk 
analysis  process  and  validation  of  the  coarse  and  detailed  risk  analysis  processes  on  vessel 
applications.  The  proposed  risk-based  safety  survey  process  from  Phase  1  was  formalized  and 
validated  on  a  vessel  application.  Integration  of  the  two  processes  was  tested  during  validation 
of  the  risk-based  safety  survey  process.  The  training  course  developed  in  Phase  1  was  updated  to 
reflect  modifications  to  the  processes,  and  additional  Coast  Guard  personnel  were  trained. 

5.2.1  Coarse  Risk  Analysis 

Approach 

The  coarse  risk  analysis  process  was  refined  to  address  the  issues  identified  in  Phase  1.  The 
major  change  in  the  process  was  to  restructure  the  analysis  around  operations/evolutions  and 
focus  on  one  operation/evolution  at  a  time  during  the  analysis.  The  RDC  and  JBFA  validated  the 
refined  coarse  risk  analysis  by  performing  an  analysis  of  the  operations/evolutions  of  the  USCGC 
MELLON  (a  WHEC-378  vessel)  during  a  1-week  analysis  session.  Coast  Guard  safety 
professionals  led  the  validation  exercise  with  the  assistance  of  the  RDC  and  JBFA.  This  test 
application  also  validated  the  success  of  the  training  course  (described  in  Phase  1)  in  equipping 
Coast  Guard  safety  professionals  to  lead  these  analyses. 

In  support  of  the  test  analysis,  an  off-the-shelf  software  tool  was  adapted  for  documenting 
the  raw  data  from  the  analysis. 

Results 

The  coarse  risk  analysis  validation  on  the  USCGC  MELLON  proved  to  be  successful  and 
very  beneficial  in  revealing  potential  areas  for  improvement  in  the  coarse  risk  analysis  process. 
The  analysis  team  successfully  analyzed  the  majority  of  the  operations/evolutions  of  the  USCGC 
MELLON,  developed  a  risk  profile  for  the  vessel,  and  generated  numerous  risk  reduction 
recommendations. 

Lessons  learned  from  using  the  software  tool  to  document  the  analysis  were  incorporated 
into  the  development  of  a  software  tool  to  support  the  IRA  process. 
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The  Coast  Guard  safety  professionals  successfully  led  the  test  application.  The  training  they 

received  during  the  week-long  training  course  (described  in  Phase  1)  proved  to  be  successful  in 

preparing  them  for  leading  a  coarse  risk  analysis. 

Lessons  Learned 

Two  significant  issues  arose  during  the  validation  of  the  coarse  risk  analysis: 

(1)  The  RDC  and  JBFA  wrestled  with  the  most  appropriate  and  effective  method  to  represent 
the  RIN,  which  is  a  representation  of  risk  associated  with  Coast  Guard  activities.  The 
baseline  coarse  risk  analysis  method  for  calculating  the  RIN  used  a  simple  method  that 
included  risk  scores  for  Class  A/B  and  Class  C/D  mishap  categories.  Testing  the 
methodology  revealed  that  this  method  inflated  the  risk  contribution  of  high  consequence 
losses  (Class  A  and  Class  B  mishaps)  in  the  RIN.  To  correct  this,  the  method  for  calculating 
the  RIN  was  modified.  The  new  method  was  tested  and  corrected  the  initial  problem,  but 
introduced  another.  Using  the  new  method  for  calculating  the  RIN,  the  lowest  consequence 
losses  (Class  D  mishaps)  became  the  dominant  factor  in  the  Class  C/D  mishap  category 
score.  The  new  method  resulted  in  Class  D  mishaps  inflating  the  risk  contribution  of  the 
Class  C/D  mishap  category  in  the  RIN. 

The  final  resolution  was  to  divide  the  Class  C/D  mishap  category  into  a  Class  C  mishap 
category  and  a  Class  D  mishap  category.  The  revised  methodology  assigns  risk  scores  to 
Class  A/B,  Class  C,  and  Class  D  mishaps.  This  change  was  incorporated  into  the 
methodology  and  tested  in  Phase  3. 

(2)  Functions  as  defined  in  the  baseline  coarse  risk  analysis  process  describe  (1)  key  activities 
for  accomplishing  operations/evolutions  (e.g.,  maneuvering  the  vessel)  or  (2)  key  activities 
for  controlling  different  types  of  hazards  (e.g.,  controlling  physical  hazards).  This  approach 
provided  sufficient  analysis  structure  to  identify  important  problem  areas,  but  did  have  some 
weaknesses.  The  approach  segregated  safety-related  issues  from  operational  issues, 
overlooked  the  interrelationship  of  several  functions,  and  overlooked  potential  problems 
associated  with  loss  of  capability  to  perform  key  activities  as  well  as  poor  quality  in 
performing  those  activities. 

These  weaknesses  caused  some  confusion  for  analysis  team  leaders  and  team  members.  In 
addition,  some  Coast  Guard  safety  professionals  expressed  concern  about  the  message  that 
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separating  “safety”  and  “operational”  issues  sends  to  Coast  Guard  managers  (i.e..  Would  it 
lessen  the  impact  of  safety  concerns?). 

The  resolution  for  this  issue  involved  revising  function  definitions  (and  associated 
deviations)  to  focus  on  fundamental  activities  that  occur  for  a  unit  (e.g.,  operating  vessels, 
vehicles,  aircraft,  or  equipment,  operating/maintaining  structures',  and  providing 
services/utilities).  A  diverse  set  of  deviations  is  included  for  each  function.  These 
deviations  cover  (1)  loss  of  the  function,  (2)  incorrect  execution  of  the  function,  and  (3)  a 
variety  of  hazardous  exposures  that  could  occur  while  performing  the  function  (including 
associated  maintenance  activities).  The  new  functions  were  tested  in  Phase  3. 

5.2.2  Detailed  Risk  Analysis 

Approach 

In  Phase  2,  the  Coast  Guard  desired  to  perform  an  additional  test  of  a  detailed  risk  analysis 
technique.  The  detailed  risk  analysis  approach  meets  the  Coast  Guard’s  detailed  analysis 
objectives  and  was  not  modified  from  Phase  1 . 

The  Coast  Guard  chose  to  perform  an  analysis  of  incinerator  installations  on  board 
WHEC-378  vessels.  The  incinerator  installation  on  board  the  USCGCMUNRO  was  selected  by 
the  Coast  Guard  as  the  subject  of  the  detailed  risk  analysis,  with  the  intent  of  applying  any 
lessons  learned  from  the  analysis  to  that  installation  (as  appropriate)  and  to  subsequent 
installations  on  other  cutters  (especially  other  cutters  in  the  same  class). 

Results 

The  RDC  and  JBFA  successfully  performed  a  what-ifrchecklist  analysis  on  the  incinerator 
installation.  Coast  Guard  vessel  and  shore-based  personnel  participated  in  the  analysis.  Several 
recommendations  for  improving  the  incinerator  installation  were  generated  from  the  detailed  risk 
analysis. 

Lessons  Learned 

The  detailed  risk  analysis  process  worked  well,  and  no  significant  issues  arose  as  a  result  of 
Phase  2. 
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5.2.3  Risk-based  Safety  Survey  (Phase  2) 


Approach 

The  risk-based  safety  survey  process  proposed  in  Phase  1  was  formalized  and  integrated 
with  the  coarse  risk  analysis  process.  The  RDC  and  JBFA  determined  the  information  required 
from  the  coarse  risk  analysis  process  and  developed  detailed  steps  for  prioritizing  evaluation 
points  and  risk  ranking  survey  findings  for  resolution.  Root  cause  analysis  techniques  were 
investigated  for  appropriately  resolving  findings.  The  RDC,  JBFA,  and  MLC-PAC  (kse) 
validated  the  risk-based  safety  survey  process  on  the  USCGC  SHERMAN  (a  WHEC-378  vessel). 
By  performing  the  process  on  a  WHEC-378,  integration  of  the  coarse  risk  analysis  and  risk-based 
safety  survey  could  also  be  tested. 

Results 

The  RDC  and  JBFA  used  the  results  of  the  WHEC-378  coarse  risk  analysis  and  past  safety 
survey  findings  information  (from  MLC  safety  professionals)  to  prioritize  the  safety  survey 
evaluation  points.  The  safety  survey  tested  on  the  host  vessel  (USCGC  SHERMAN)  focused  on 
the  higher  risk  evaluation  points.  The  survey  produced  several  meaningful  findings.  The  RDC, 
JBFA,  and  MLC  safety  professionals  used  the  IRA  process  to  rank  the  findings  according  to  their 
impact  on  overall  vessel  risk.  The  risk-ranked  findings  were  prioritized  for  resolution  and 
presented  to  the  vessel  command.  The  IRA  process  identified  that  some  findings  did  not  require 
immediate  resolution  due  to  their  very  low  risk  impact  to  the  vessel. 

The  validation  was  successful  in  testing  the  risk-based  safety  survey  process  and  the 
methodology  for  integrating  the  coarse  risk  analysis  and  risk-based  safety  survey  processes. 
Attachment  F  documents  the  results  of  this  risk-based  safety  survey  and  is  included  as  an 
example  of  a  risk-based  safety  survey.  (The  ultimate  formats  of  reports  for  the  Coast  Guard  are 
left  to  the  individual  commands.) 

Lessons  Learned 

The  risk-based  safety  survey  process  worked  well,  and  no  significant  issues  arose  as  a  result 
of  Phase  2. 
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5.3  Phase  3 


The  objective  of  Phase  3  was  to  refine  the  IRA  process  for  shore  facility  applications  and  to 
validate  the  process.  The  RDC  and  JBFA  reviewed  the  coarse  risk  analysis  and  risk-based  safety 
survey  processes  to  determine  differences  in  applying  these  processes  to  shore  facilities.  Upon 
review,  the  risk-based  safety  survey  process  appeared  to  be  the  same  when  applied  to  either  type 
of  Coast  Guard  unit  and  would  not  need  modifications.  However,  the  coarse  risk  analysis  would 
need  modifications  and  would  also  need  to  be  tested  on  shore  facilities.  The  main  objective  of 
Phase  3  was  to  make  necessary  adjustments  to  the  coarse  risk  analysis  process  and  test  it  on  shore 
facilities.  A  secondary  objective  was  to  test  the  risk-based  safety  survey  process  with  unit  safety 
supervisors  to  reduce  the  monitoring  burden  fi*om  the  MLC  staffs.  In  addition,  the  RDC  and 
JBFA  needed  to  ensiu-e  that  these  adjustments  maintain  the  effectiveness  of  the  process  when  it  is 
reapplied  to  vessels. 

5.3.1  Coarse  Risk  Analysis 

Approach 

When  applying  the  coarse  risk  analysis  process  to  shore  facilities,  the  RDC  and  JBFA  sought 
to  maintain  consistency  (to  the  maximum  extent  possible)  with  the  coarse  risk  analysis  process  as 
it  is  applied  to  vessels.  The  RDC  and  JBFA  tested  portions  of  the  process  on  hypothetical  shore 
facility  situations  and  found  that  the  core  structure  of  the  analysis  technique  also  worked  well  for 
shore  facilities.  However,  three  major  issues  were  discovered:  (1)  the  operations/evolutions  are 
different  for  shore  facilities,  (2)  some  functions  are  not  applicable  to  shore  facilities  and  others 
are  required,  and  (3)  the  coarse  risk  analysis  process  needs  to  be  able  to  assign  risk  to  a  specific 
location  for  shore  facilities  (when  needed). 

Shore  facilities  have  a  different  mission  fi’om  vessels  and,  therefore,  their  operations/ 
evolutions  are  different.  In  fact,  different  types  of  shore  facilities  (e.g..  Integrated  Support 
Commands  [ISCs],  Marine  Safety  Offices  [MSOs])  have  a  different  set  of  operations/evolutions 
due  to  their  different  missions.  A  new  set  of  operations/evolutions  was  developed  for  each  type 
of  shore  facility. 

Several  vessel  functions  (e.g.,  providing  ballasting  services)  are  not  applicable  to  shore 
facilities,  and  several  shore  facility  functions  (e.g.,  operating  powered  vehicles)  are  not  included 
in  the  vessel  function  list.  Upon  further  research,  the  RDC  and  JBFA  also  found  that  different 
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types  of  shore  facilities  have  a  slightly  different  set  of  functions  (the  MSO  function  list  contains  a 
number  of  inspection  functions).  The  RDC  and  JBFA  developed  the  shore  facility  fVmction  lists 
(ISC  and  MSO)  from  the  vessel  function  list  by  making  the  necessary  modifications  to  the  vessel 
list. 


Because  shore  facilities  involve  numerous  types  of  buildings  and  structures  (e.g.,  piers, 
parking  lots,  roads),  it  was  obvious  that  a  method  for  assigning  risk  to  individual  locations  would 
improve  the  effectiveness  of  the  coarse  risk  analysis  for  shore  facilities.  The  RDC  and  JBFA 
modified  the  methodology  in  such  a  way  that  the  resulting  modified  coarse  risk  analysis  process 
could  be  used  for  shore  and  vessel  applications. 

The  modified  approach  evaluates  deviations  in  the  same  manner  as  before,  except  the 
analysis  team  will  assess  how  the  deviation  risk  is  distributed  across  the  different  locations 
within  the  facility  (if  more  than  one  location  is  an  issue).  The  new  methodology  is  flexible 
enough  to  allow  the  analysis  to  proceed  without  assessing  location  risk.  This  gives  the  Coast 
Guard  analyst  the  option  to  perform  the  analysis  as  before  (without  assigning  risk  to  locations)  if 
that  information  is  needed. 

The  RDC  and  JBFA  tested  the  resulting  coarse  risk  analysis  process  on  an  ISC  and  an  MSO 
shore  facility.  The  RDC  and  JBFA,  with  the  support  of  MLC-LANT  (kse),  also  tested  the 
modified  process  on  a  WMEC-210  in  support  of  the  Paragon  project. 

Results 

The  RDC  and  JBFA  validated  the  new  coarse  risk  analysis  process  on  the  ISC  in  Seattle, 
Washington,  the  MSO  in  New  Orleans,  Louisiana,  and  the  USCGC  VENTUROUS  (a  WMEC- 
210  vessel).  The  ISC  analysis  included  assessing  the  risk  associated  with  locations.  The  MSO 
and  WMEC-210  analyses  did  not  assess  location  risk.  All  three  validations  produced  risk 
profiles  of  the  facilities  and  vessel,  and  meaningful  recommendations  for  reducing  risk.  The 
minor  modifications  to  the  coarse  risk  analysis  process  were  successful.  They  made  the  overall 
IRA  process  a  better  risk  assessment  tool  and  maintained  the  ability  to  assess  vessel  applications. 
Attachment  B  contains  the  results  of  the  WMEC-210  coarse  risk  analysis,  and  Attachment  C 
contains  the  results  of  the  ISC  coarse  risk  analysis. 
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Lessons  Learned 


The  coarse  risk  analysis  process  worked  well,  and  no  significant  issues  arose  as  a  result  of 
Phase  3. 


6.  Future  Development 

The  next  step  for  the  IRA  process  is  to  develop  a  management  system  that  will  manage  the 
IRA  process,  generate  the  required  IRA  process  data,  and  ensure  the  data  are  accessible  to  Coast 
Guard  managers  for  decision  making.  Work  will  focus  on  the  areas  described  below. 

Developing  an  IRA  Process  Software  Tool 

Because  of  the  complexity  involved  with  managing  and  manipulating  the  data  produced  by 
the  IRA  process,  the  Coast  Guard  identified  the  need  for  a  software  tool  to  assist  in  the 
implementation  of  the  process.  Development  of  the  IRA  process  software  tool  began  during 
Phase  3.  The  RDC  and  JBFA  used  the  experiences  gained  from  applying  the  IRA  process  on 
shore  and  vessel  applications  to  develop  a  conceptual  design' of  the  software  tool.  The  conceptual 
design  was  accepted  and  work  began  on  various  software  modules.  The  next  step  is  to  test  a  beta 
version  of  the  software.  The  IRA  process  beta  version  of  the  software  was  delivered  in  the  Fall  of 
1998  and  will  be  released  by  the  R&D  Qenter  early  in  1999. 

Developing  a  Management  System  for  the  IRA  Process 

JBFA  will  work  with  the  Coast  Guard  to  develop  a  management  system  for  the  IRA  process. 
This  system  will  define  the  roles  and  responsibilities  involved  in  implementing  the  IRA  process, 
define  the  management  of  the  IRA  information,  and  define  the  interaction  of  the  IRA  process  with 
other  Coast  Guard  management  systems. 
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Improving  Related  Coast  Guard  Management  Systems 


JBFA  will  work  with  the  Coast  Guard  to  identify  improvements  to  Coast  Guard 
management  systems  that  the  Coast  Guard  could  make  to  reduce  loss  exposure.  This  will 
include: 


•  Identifying  deficiencies  in  current  practices  where  new  management  systems  might  be 
needed  to  address  all  aspects  of  loss  prevention 

•  Improving  existing  management  systems  to  enhance  their  effectiveness  and/or 
efficiency  in  loss  prevention 

•  Prototyping  new  management  systems 

•  Exploring  how  the  Coast  Guard  can  measure  and  track  the  performance  of  management 
systems  and  their  effects  on  loss  prevention 


7.  Concluding  Remarks 

By  understanding  the  needs  of  the  Coast  Guard  and  following  the  guiding  principles,  the 
RDC  and  JBFA  developed  useful  techniques  and  tools  that  should  be  both  efficient  and  effective 
in  helping  the  Coast  Guard  control  its  losses  and  reduce  its  loss  exposure  over  time.  Validation 
proved  the  IRA  process  to  be  feasible  and  useful  in  assessing  a  wide  variety  of  Coast  Guard 
operations  and  facilities  at  various  levels  of  detail.  Coast  Guard  personnel  are  successfully  using 
the  IRA  process  to  understand  the  change  in  risk  when  making  changes  in  vessel  staffing  and 
operating  procedures.  Continued  implementation  of  the  process  will  provide  Coast  Guard 
management  with  information  for  risk-based  decision  making,  as  well  as  direction  for  the 
efficient  and  effective  use  of  limited  Coast  Guard  resources. 
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Attachment  A 


Integrated  Risk  Assessment  (IRA)  Manual 

The  IRA  Manual  is  a  detailed  description  of  the  IRA  process.  The  manual  includes  an  overview 
of  how  losses  occur,  a  discussion  of  risk  and  common  risk  analysis  methodologies,  an  overview  of 
the  IRA  process,  and  step-by-step  instructions  for  performing  and  managing  the  ERA  process. 

This  manual  is  part  of  the  course  for  trmning  Coast  Guard  personnel  to  perform  the  activities  in 
the  IRA  process.  The  analysis  of  a  WHEC-378,  vrith  Coast  Guard  personnel  leading  the  analysis, 
demonstrated  that  the  course  is  sufficient  to  train  Coast  Guard  personnel  to  conduct  assessments. 


The  information  contained  in  this  manual  consists  of  facts,  concepts,  and  principles  for 
conducting  hazard  evaluations  using  qualitative  and  quantitative  methods.  JBF  Associates, 
Inc.  assumes  no  liability  for  this  material  beyond  the  material's  intended  purpose  of  providing 
general  information  about  hazard  evaluations  and  safety  assessments. 

DO  NOT  attempt  to  operate  any  facility,  unit,  process,  system,  or  equipment  based  solely 
on  the  information  provided  in  this  manual.  Refer  to  your  own  operating  procedures, 
equipment  descriptions,  operating  limits,  safety  and  health  considerations,  etc. 
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How  Mishaps  Occur 


How  Mishaps  Occur 


Mishap  Fundamentals 


Cost  of  Mishaps 

Mishaps  rob  all  of  ns 

Our  personnel.  Mishaps  can  threaten  the  safety  and  long-term 
health  of  our  personnel. 

The  public.  Mishaps  can  also  threaten  the  safety  and  long¬ 
term  health  of  others. 

Our  organization.  Mishaps  directly  affect  organizational 
performance  by 

•  disrupting  production/missions, 

•  reducing  efficiency  and  increasing  expenses,  and 

•  creating  negative  publicity. 

The  environment.  Mishaps  can  cause  immediate  and/or  long¬ 
term  damage  to  the  environment. 

Our  customers.  Mishaps  ultimately  affect  customers  through 

•  our  inability  to  deliver  services/products  and 

•  increased  costs  for  services/products. 
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Mishap  Fundamentals 


Some  recent  major  Coast  Guard  losses 

•  COWSLIP  (1997,  >$7M) 

•  MESQUITE  (1990,  >$37M) 

•  BLACKTHORN  (1980,  23  deaths) 

•  CUYAHOGA  (1978,  11  deaths) 

Economies  of  Coast  Gnard  losses  and  loss  prevention* 


Year 

Cost  of  Losses 

Cost  of  Loss 
Prevention  Efforts 

Total  Cost 

1996 

>$10.4M 

>$1.5M 

>$11. 9M 

1995 

>$7M 

>$1.5M 

>$8.5M 

1994 

>$13.1M 

>$1.5M 

>$14.6M 

*Data  from  MISREPS  and  budget  estimates 
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Mishap  Fundainentals 


Idealized  Process  Operation 

INPUTS  PROCESS  OUTPUTS 


<1^ 


Dostrod 

products 


; 


Associatod 

wosto 

products 


Loss  Events 


Conceptual  View  of  Losses 

Loss  event 

•  Any  action,  state,  or  condition  in  which  a  system  is  not  meet¬ 
ing  one  or  more  of  its  design  intents 

•  Includes  actual  losses  and  near  misses 

Characteristics  of  loss  events 

•  Are  unplanned 

•  involve  a  combination  of  human  errors,  equipment  failures, 
and/or  external  events 

•  Have  significant  impacts  on  economics,  safety/health,  and  the 
environment 

•  Generally  have  underlying  root  causes  that  create  error-likely 
situations  for  people  and  vulnerabilities  for  equipment 

•  Frequently  preceded  by  identifiable  precursors  that  can  be 
detected  and  corrected 

•  Will  always  be  possible,  but  can  be  effectively  managed 
Effects  of  loss  events 

.  *  Less  capability 

-  inherent  capability  limitations 

-  capability  degradation 
■  Less  output 

-  quality  of  products 

-  unplanned  outages 

-  planned  outages 

•  Inefficiency 

-  human  resource  consumption 

-  material  consumption 

-  equipment  consumption 

-  utility  consumption 

•  Increased  liability  risk 

-  business 

-  safety/health 

-  environmental 
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Mishap  Fundamentals 


Loss  Prevention 


Loss  Prevention  Iceberg 

Iceberg  stmeinre 
Top 

Small,  but  critically  important  area  representing  major  losses. 
Typically  caused  by  many  of  the  same  problems  that  cause  other 
less  severe,  but  more  frequent,  day-to-day  problems 

Visible  remainder 

Significant  area  representing  the  routinely  occurring  day-to-day 
problems  that  lead  to  safety,  environmental,  and/or  economic 
losses 

Shallow  submerged 

Another  significant  area  representing  abnormal  events  that 
almost  resulted  in  losses,  but  did  not  for  some  reason.  Generally, 
these  near  misses  significantly  outnumber  actual  day-to-day 
losses  and  can  be  considered  precursors  to  many  of  the  losses 
that  actually  occur 

Deeper  submerged 

Large  area  representing  the  various  human  errors,  equipment 
failures,  and  external  events  that  cause  losses  and  near  misses 

Bottom 

Large  area  representing  the  underlying  management  system 
weaknesses  that  create 

•  error  likely  situations  for  people, 

•  equipment  vulnerabilities,  and/or 

•  inadequate  protection  against  external  events. 
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Mishap  Fundamentals 


Perspectives  about  loss  prevention 

Corporate  management  and  outsiders 

Avoid  major  losses  (or  excessive  numbers  of  less  severe  losses) 
that  threaten  business  viability  and/or  lead  to  significant  negative 
publicity 

Doy’tO'day  management 

Minimize  routine  losses  that  impact  productivity  and  cause  man¬ 
agement  "headaches."  Includes  some  attention  to  events  that 
almost  cause  losses  (i.e.,  "near  misses") 

Buoyancy  principle  as  a  gnide  for  loss  prevention 

Removing  mass  from  above  the  water  line  causes  the  iceberg 
to  rise 

Efforts  to  address  only  the  visible  events  help  reduce  the  overall 
size  of  the  iceberg,  but  the  iceberg  v/ill  rise  in  the  water  and  make 
other  events  visible 

Removing  mass  from  below  the  water  line  causes  the  iceberg 
to  sink 

Efforts  to  address  the  underlying  problems  help  reduce  the  overall 
size  of  the  iceberg  and  also  reduce  the  number  of  visible  events 
above  the  water  line 

Remember,  we  generally  cannot  eliminate  all  of  the  iceberg.  Even 
if  no  visible  problems  are  occurring,  danger  still  exists  below  the 
water  line.  Also,  watch  out  for  the  potential  for  major  events  to 
break  off  from  the  iceberg  and  appear  without  warning. 
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Mishap  Sequences 


I  1  I 

i  1  I 


_ 1 _ 

, 

1 

Successful 

Failed 

Safeguards 

not 

provided 

safeguards 

safeguards 

The  Accident  Sequence:  Elements  of  a  Mishap 

Hazards  —  Situations,  conditions,  characteristics,  or  proper¬ 
ties  that  create  the  potential  for  an  undesirable  consequence  to 
occur 

Initiating  event  —  The  event  in  an  accident  sequence  that,  if 
unmitigated,  results  in  one  or  more  undesirable  consequences 
occurring 

Demanded  events  —  One  or  more  events  that  act  (or  should 
have  acted)  to  mitigate  the  progression  of  an  initiating  event 
toward  undesirable  outcomes 

Consequences  —  Undesirable  events  having  the  potential  to 
adversely  affect  subjects  of  interest,  generally  Involving  the  re¬ 
lease  of  energy 

Effects  —  Measurable  impacts  on  subjects  of  interest  within  the 
area  of  influence  of  a  consequence,  generally  above  some 
threshold  of  interest  that  causes  concern 

Successful  safeguards  —  Planned  protections  that  successfully 
act  to  prevent/mitigate  undesirable  consequences 

Failed  safeguards  —  Planned  protections  that  fail  to  act  as 
intended  to  keep  hazards  from  causing  undesirable  conse¬ 
quences 

Safeguards  not  provided  —  Reasonable  protections  that  were 
not  provided,  but  could  have  acted  to  keep  hazards  from 
causing  undesirable  consequences 
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Mishap  Sequences 


Successful 

sofeguards 


I|  Elements  of  Mishaps:  Hazards 

Combnstible/ilammable  hazards 

Combustible/flammable  hazards  exist  when  there  is  a  potential 
for  one  or  more  materials  to  rapidly  react  with  an  oxidant,  releas¬ 
ing  energy  in  the  form  of  heat  and  light. 

Examples 

•  Hydrocarbons  and  hydrocarbon  derivatives  (solids,  liquids,  and 
gases) 

•  Hydrogen 

•  Other  gases  (e.g.,  carbon  monoxide) 

•  Finely  powdered  nonflammable  materials 

•  Various  metals  (depending  on  the  oxidizer) 

Explosion  hazards 

Explosion  hazards  exist  when  there  is  a  potential  for  one  or  more 
substances  to  release  energy  over  a  short  period  of  time,  generat¬ 
ing  a  pressure  wave  that  travels  away  from  the  source. 

Examples 

•  Many  flammable  materials 

•  Powders  and  dusts 

•  Nitrates 

•  Peroxides 

•  Highly  reactive  materials 

•  Strong  oxidizers 

•  Cryogenic  liquids 

•  Compressed  or  liquefied  gases 

Toxic  hazards 

Toxic  hazards  exist  when  there  is  a  potential  for  one  or  more 
materials  to  cause  biological  damage  to  surrounding  organisms 
(through  inhalation,  ingestion,  injection,  and/or  dermal  ab¬ 
sorption). 
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Mishap  Sequences 


Examples 

•  Chlorine/bromine 

•  Cleaning  and  maintenance  fluids 

•  Contaminated  feed,  water,  and  medical  supplies 

Asphyxiant  hazards 

Asphyxiant  hazards  exist  when  there  is  a  potential  for  one  or 
more  materials  to  prevent  organisms  from  using  available  oxy¬ 
gen. 

Simple  asphyxiants 

Simple  asphyxiants  are  typically  nontoxic  gases  that  displace  and 
exclude  the  oxygen  from  a  life-supporting  atmosphere.  Common 
simple  asphyxiants  are  carbon  dioxide  and  nitrogen. 

Chemical  asphyxiants 

Chemical  asphyxiants  are  often  highly  toxic  materials  that  prevent 
organisms  from  using  oxygen.  Carbon  monoxide  is  a  chemical 
asphyxiant  that  prevents  hemoglobin  from  carrying  oxygen. 

Corrosion  hazords 

A  corrosion  hazard  exists  when  there  is  a  potential  for  one  or 
more  materials  to  chemically  burn  body  tissues  (especially  the 
skin  and  the  eyes)  or  to  excessively  erode/dissolve  materials  of 
construction  or  emergency  response  equipment. 

Examples 

•  Cleaning/maintenance  fluids 

•  Battery  acid 

•  Bleach 

Chemical  reactant  hazards 

A  chemical  reactant  hazard  exists  when  there  is  a  potential  for 
one  or  more  materials  to  chemically  combine  (or  to  self-react) 
and  produce  undesirable  consequences. 

Example  hazardous  chemical  reactions 

•  Upsets  involving  process  temperatures  and  pressures 

•  Inadvertent  mixing  of  materials 

•  Material  contamination 

•  Material  handling  and  storage  errors 

Thermal  hazards 

A  thermal  hazard  exists  when  there  is  the  potential  for  extreme 
temperatures  to  produce  undesirable  consequences  affecting 
people,  materials,  equipment,  or  work  areas. 


1-10 


Coast  Guard  IRA  Manual 


How  Mishaps  Occur 


^flishog^^e^uences 


Example  causes  of  hazardous  temperature  conditions 

•  Exposed  or  uninsulated  high/low  temperature  equipment  or 
materials 

•  Fires  or  explosions 

•  Chemical  reactions 

•  Poor  ventilation  (i.e.,  inadequate  heat  dissipation) 

•  Cooling  or  heating  system  failure 

•  Ambient  conditions  and  other  equipment  or  operations  in  the 
area 

•  Phase  changes 

•  Gas  compression  or  expansion 

•  Friction 


Potential  energy  hazards 

Potential  energy  hazards  exist  when  undesirable  consequences 
can  result  from  the  following: 

•  High  pressures  (other  than  explosions)  (e.g.,  normal  process 
pressures) 

•  Low  pressures  (e.g.,  vacuum  conditions) 

•  Mass/gravity/height  (e.g.,  lifting  operations) 

Kinetic  energy  hazards 

Kinetic  energy  hazards  exist  when  undesirable  consequences  can 
result  from  linear  or  rotational  motion  of  process  materials, 
process  equipment,  support  equipment,  or  vehicles. 


Electrical  energy  hazards 

Electrical  energy  hazards  exist  when  undesirable  consequences 
can  result  from  contact  with  (or  failure  of)  manufactured  or  natu¬ 
ral  sources  of  electrical  voltage  or  current  (e.g.,  lightning,  electri¬ 
cal  charges,  short  circuits,  stray  currents,  and  loss  of  power 
sources). 
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Successful 
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Elements  of  Mishaps:  Initiating  and  Demanded  Events 

laitiatiiig  events 

Initiating  events  can  be  equipment  failures,  human  mistakes, 
external  influences,  or  any  action/occurrence  that  places  a  de¬ 
mand  on  a  safety  system. 

Examples 

•  A  rudder  breaking 

•  An  engineer  setting  a  control  incorrectly 

•  A  rogue  wave 

Demanded  events 

Demanded  events  can  be  responses  to  initiating  events  by 
equipment  and/or  humans. 

Examples 

•  Relief  valve  acting  to  mitigate  pressure  excursion 

•  Safety  observer  interrupting  an  evolution  to  correct  a  safety 
problem 
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Mishap  Sequences 


Hazard(s) 


Initiating 

event 


Demanded 

events 


Conse- 

quence(s) 


Successful 

safeguards 


Failed 

safeguards 


Safeguards 

not 

provided 


Elements  of  Mishaps:  Consequences 

Summary  of  mishaps  of  interest 


Mishaps  of  interest 

Capsizing  vessei 

Person  overboard 

Collision  with  another  vessel 

Hazardous  exposure:  contact  injury 

Collision  with  a  fixed  object 

Hazardous  exposure:  toxic/corrosive 

Collision  with  a  floating  object 

materials 

Grounding  vessel 

Hazardous  exposure:  electrical  shock 

Sinking  vessei 

Hazardous  exposure:  cold  environment/ 

Fouied  screw 

surface/material 

Fire/expiosion 

Hazardous  exposure:  hot  environment/ 

Firearm  discharge 

sur^ce/material 

Equipment  damage/loss 

Hazardous  exposure:  asphyxiants 

Loss  of  small  boat 

Hazardous  exposure:  noise 

Loss  of  helo 

Hazardous  exposure:  radiation 

Drowning 

Hazardous  exposure:  biological  materials 
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I  1  Elements  of  Mishaps:  Effects 


Classes  of  mishaps 


Mishap  Severity 
Category 

Description 

Class  A 

•  The  cost  of  reportable  property  damage  is 
$1,000,000  or  greater 

•  A  vessel  is  missing  or  abandoned,  recovery  is 
impossible  or  impractical,  the  vessel  cannot  be 
repaired  economically 

•  An  injury  or  illness  results  in  a  fatality  or  permanent 
total  disability 

•  Comparable  environmental  effects 

•  Comparable  mission  degradation  impacts 

Class  B 

•  The  resulting  cost  of  reportable  property  damage  is 
$200,000  or  more  but  less  than  $1,000,000 

‘  Any  injury  and/or  illness  results  in  permanent  partial 
disability 

•  Five  or  more  people  are  inpatient  hospitalized 

•  Comparable  environmental  effects 

•  Comparable  mission  degradation  impacts 

Class  C 

•  The  cost  of  property  damage  is  $10,000  or  more  but 
less  than  $200,000 

•  A  nonfatal  injury  or  illness  that  results  in  any  loss  of 
time  from  work  beyond  the  day  or  shift  on  which  it 
occurred 

•  Comparable  environmental  effects 

•  Comparable  mission  degradation  impacts 

Class  D 

•  The  cost  of  property  damage  is  less  than  $10,000 

•  A  nonfatal  injury  or  illness  occurs  that  does  not  meet 
the  criteria  of  a  Class  C  mishap 

•  A  person  is  overboard,  an  accidental  firearms 
discharge  occurs,  or  an  electric  shock  occurs  that 
does  not  meet  the  criteria  of  a  higher  classification 

•  Comparable  environmental  effects 

•  Comparable  mission  degradation  impacts 
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Elements  of  Mishaps:  Safeguards 

Safeguards 

Safeguards  can  be  engineered  systems,  personnel  monitoring/ 
response,  or  administrative  policies/programs  for  (1)  lessening 
hazards,  (2)  preventing  initiating  events,  (3)  preventing  adverse 
demanded  events,  (4)  mitigating  consequences,  and/or  (5)  less¬ 
ening  effects. 

Examples  of  safeguards 

•  Preventive  maintenance  for  the  steering  system  and  relief 
valves 

•  Policy  for  having  a  safety  supervisor  for  all  deck  operations 

•  Personnel  qualification  programs  for  a  key  position 
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Mishap  Sequences 


Mishap  Prevention:  Addressing 
the  Cansal  Factors 

■  Eliminate  hazards 

■  Prevent  initiating  events 

■  Add  safeguards 

e  Make  safeguards  more  reliable 

■  Reduce  consequences 

■  Reduce  effects 


Mishap  Prevention  Concepts 

Mishap  prevention:  addressing  the  elements  of  sequences 
Eliminate  hazards 

Make  processes  Inherently  safer  by  eliminating  hazards 
For  example: 

•  Eliminate  energy  sources: 

-  pressure 

-  heat 

-  potential  energy 

-  kinetic  energy,  etc. 

•  Eliminate  the  use  of  hazardous  materials  and  materials  that 
can  generate  hazardous  energy 

Prevent  initiating  events 

Reduce  the  likelihood  of  initiating  events 

For  example: 

•  Eliminate  error-likely  situations  that  set  people  up  for  failure 

•  Perform  inspections,  tests,  and  preventive  maintenance  as 
necessary 

•  Improve  design  ratings  and  factors  of  safety 

Add  safeguards 

Provide  "multiple  layers  of  safeguards"  in  critical  applications 
For  example: 

•  Add  redundant  instrumentation,  especially  those  of  different 
design/operation 

•  Add  redundant  pumps/blov/ers,  especially  those  with  different 
types  of  drivers 

•  Require  additional  operator  surveillance/checks  during 
operations 
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Make  safeguards  more  reliable 

Reduce  the  likelihood  of  safeguard  failures 

For  example: 

•  Eliminate  error-likely  situations  that  set  people  up  for  failure 

•  Perform  additional/more  frequent  inspections,  tests,  and 
preventive  maintenance 

•  improve  design  ratings  and  factors  of  safety 

•  Staff  operations  and  maintenance  departments  appropri¬ 
ately 

Reduce  consequences 

Make  processes  inherently  safer  by  reducing  the  potential  severity 
of  consequences 

For  example: 

•  Reduce  energy  stored  or  generated  as 

-  pressure 

-  heat 

-  potential  energy 

-  kinetic  energy,  etc. 

•  Minimize  inventories  of  hazardous  materials  and  materials 
that  can  generate  hazardous  energy 

•  Substitute  less  hazardous  materials  for  more  hazardous  mate¬ 
rials 

•  Provide  mitigation  systems  to  limit  consequences  (e.g.,  alarms, 
quick-shut-off  valves) 

Reduce  effects 

Protect  subjects  of  interest  from  consequences 
For  example: 

•  Provide  emergency  response  training 

•  Provide  personal  protective  equipment 

•  Move  people  away  from  the  danger  zones 

•  Train  the  employees  and  community  to  shelter-in-place 
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_ 1 _ 
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1 
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Successful 
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Failed 

safeguards 

Safeguards 

not 
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Case  Study:  The  Exxon  Valdez  Accident 
I  \  Hazards 

- ^  •  Oil  (environmental  pollutant/toxin) 

•  Kinetic  energy  of  vessel 

I  Initiatiiig  event 

- •  Ship  departed  in  dork  in  hazardous  conditions  (icebergs  in 

normal  path,  requiring  departure  from  normal  course) 

I  I  Failed  safeguards  (mitigation) 

- ^  •  Captain  not  on  bridge 

I - j|  •  Experienced  mate  not  in  charge  of  critical  turn 

.  •  First  cleanup  team  did  not  arrive  until  14  hours  after  spill 

— -  "dedicated"  recovery  barge  had  been  in  dry  dock  for  repairs 
I  I  for  last  2  months 

- y  -  booms  and  skimmer  equipment  had  to  be  located  and 

loaded  onto  barge 

-  once  loaded,  barge  was  unloaded  to  transport  transfer 
pumps  (pumps  needed  to  transfer  oil  from  Exxon  Valdez  to 
another  ship) 

•  Dispersants  to  be  used  on  spill 

-  worldwide  supply  not  large  enough  for  this  size  of  spill 

-  authorization  to  use  dispersants  not  given  for  3  days 

•  Response  was  disorganized  because  of  lack  of  planning  (48 
hours  after  spill,  only  3,000  of  240,000  barrels  of  oil  recov¬ 
ered) 

I  I  Safeguards  not  provided 

^ ^  •  Double  hull  tanker 

-  double  hull  may  not  have  prevented  spill  but  could  have 
reduced  consequences 

•  Coast  Guard  monitoring  capability 
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y  Consequences 

•  600-foot  hole  ripped  in  bottom  of  tanker 
*  240,000  barrels  (10,000,000  gallons)  of  oil  spilled,  posing 
j]  potentially  catastrophic  damage  to  local  environment 

il  Effects 

•  Major  environmental  damage  including  many  dead  animals 
-  1,000+  otters 
-  35,000+  birds 
•  $1  billion+  in  cleanup  costs 

Long-range  impacts 

•  Environmental  damage  to  Prince  William  Sound 
•  Fishing  fleet  in  area  affected 

•  Increased  public  concern  about  transportation  accidents, 
especially  in  ship  traffic  in  Prince  William  Sound 
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Failed 
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Safeguards 

not 

provided 


Case  Study:  The  NASA  Challenger  Accident 
I  I  Hazard 

- ^  •  Fire/explosion  hazards  of  fuels  (liquid  hydrogen  and  liquid 

oxygen) 

I  Initiating  event 

•j  •  Liftoff  of  shuttle  (during  low  ambient  temperature) 

I  Failed  safeguards 

. - J  •  O-ring  failed 

I  i|  -  cold  temperature  at  liftoff  reduced  pliability  of  rubber  seals 

-J  •  Ineffective  management  assessment  of  identified  issues 

-  temperature  effects  on  O-ring  not  well  understood  (at  least 
by  launch  safety  personnel) 

-  no  definite  operating  envelope  set  for  O-rings 

-  design  specification  did  not  include  a  temperature  range 

•  Prior  evidence  of  O-ring  problems  not  viewed  as  a  problem 

-  O-ring  damage  observed  on  15  of  25  missions 

-  eventually,  O-ring  damage  viewed  as  acceptable 

- Sofegnards  not  provided 

I  I  •  Effective  O-ring  design 

- ^  •  Timely  communication  of  temperature  limit  of  O-ring  in  this 

service 

■  Consequence 

I  I  •  Flight  51 -L  explodes  73  seconds  after  liftoff 

N  Effects 

I  I  •  Loss  of  seven  astronauts 

^  •  Loss  of  multibillion-dollar  shuttle 

. . .1  Long-range  impacts 

I  I  •  Suspension  of  shuttle  program  for  almost  3  years 

•  Safety  culture  of  NASA  considered  suspect 
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Case  Study:  The  Union  Corbide  Bhopal  Accident 

Hazard 

•  Principal  hazards  producing  the  accident  were 
~  the  reactivity  of  MIC  with  water  and 

-  the  extremely  toxic  properties  of  MIC 

Initiating  event 

•  Introduction  of  water  into  the  MIC  storage  tank  as  a  result 
of 

-  theory  1  (Union  Carbide)  —  sabotage 

-  theory  2  (Indian  government)  — 

a  slip  blind  was  not  used  for  isolation  when  a  piping  section 
was  water  washed 

v^as  a  result,  water  flowed  through  a  series  of  pipes  to  the  MIC 
tank 

Failed  safeguards 

•  Refrigeration  system  associated  with  the  MIC  storage  tank  was 
out  of  service 

-  refrigerant  drained  for  use  in  another  system 

-  system  would  have  reduced  the  pressure  increase  in  the 
tank 

•  Flow  to  the  spare  MIC  storage  tank  was  blocked,  preventing 
depressurization  during  the  excursion 

-  system  would  have  provided  surge  volume 

•  Vent  gas  scrubber  was  shut  down  for  maintenance 

•  After  scrubber  was  turned  on,  fresh  caustic  was  not  supplied  to 
neutralize  the  MIC 

-  would  have  detoxified  some  of  the  vapors 

•  Flare  tower  was  out  of  service  for  maintenance 

-  would  have  burned  some  of  the  toxic  gas 

•  Evacuation  siren  not  sounded 

-  could  have  provided  some  evacuation  of  the  population 

•  Water  curtain  was  not  designed  to  reach  heights  above  15  m 
(release  occurred  33  m  above  the  ground) 

-  would  have  knocked  down  some  of  the  vapors 

•  Security  measures  against  sabotage? 
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3  Safeguard  not  provided 

•  Inadequate  buffer  area  around  plant 

I  I  Consequence 

•J  •  Major  release  of  MIC  in  the  plant  and  into  the  surrounding 

community 

I  j|  Effects 

- ‘J  •  2,000+  people  killed  as  a  result  of  toxic  exposure 

•  200,000+  people  injured 

*  $470  million  paid  by  Union  Carbide  to  Indian  government 

•  Costs  associated  with  defending  the  company  against  law¬ 
suits 

I - j  •  Reputation  damaged  in  India  and  the  U.S. 

- Long-range  impacts 

•  Additional  inspections  of  Union  Carbide  plants  in  the  U.S. 

•  Major  stimulus  for  worldwide  emphasis  on  process  safety, 
which  eventually  (along  with  some  other  notable  events)  led 
to  development  of  OSHA's  regulation.  Process  Safety  Mar)- 
agemenf  of  Highly  Hazardous  Chemicals 
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Case  Study:  The  Phillips  Bouston  Chemical  Complex 
Accident 

Hazards 

•  Flammable  materials  (isobutane,  ethylene,  hexane,  and  hy¬ 
drogen) 

•  High  pressure  materials 

Initiating  event 

•  Clearing  of  a  clog  in  the  settling  leg  (a  daily  task  that  required 
use  of  written  procedures) 

Failed  safeguards 

•  Isolation  of  the  process  lines  from  the  environment  not  pro¬ 
vided 

-  DEMCO  valve  did  not  have  its  lockout  device  in  place 

-  air  actuator  hose  connections  for  opening  and  closing  the 
valve  were  identical  (and  were  switched) 

-  safety  interlock  for  valve  was  not  switched  to  compensate 
for  misconnection  of  actuator  air  hoses 

-  either  the  valve  was  triggered  open  or  an  operator  jogged 
the  valve  full  open 

-  air  supply  manual  valves  for  the  actuator  were  open  before 
reattaching  the  settling  leg 

•  Firewater  systems  damaged  by  the  explosion 

Safeguards  not  provided 

•  Redundant  isolation  of  the  process  from  the  atmosphere  not 
provided  by  hardware  setup  or  procedure  (still  not  feasible) 

•  No  means  of  closing  DEMCO  valve  remotely  if  the  field 
switch  is  reversed 

•  Inadequate  separation  between  the  nonprocess  buildings 
(including  the  control  room)  and  the  process  equipment,  or 
inadequate  construction  of  the  control  room 

-  control  room  destroyed  by  the  initial  blast 
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g  Consequences 

•  Initial  blast  equivalent  to  1 .6  tons  of  TNT 

*  Subsequent  fires  and  explosions  exposing  people  and  equip¬ 
ment  to  high  heat  fluxes,  blast  effects,  and  projectiles 

I  I  Effects 

^  *23  fatalities 

•  130  injured  v/orkers 

•  Numerous  workers  affected  psychologically 
•  $750  million  in  damage  to  two  polyethylene  plants  and 

surrounding  plants/buildings 
•  Lost  production  capability  for  more  than  18  months 

I  Long-range  impacts 

^  •  Focused  regulatory  attention  on  Phillips  operations,  especially 

at  the  Houston  Chemical  Complex 

•  Another  stimulus  for  worldwide  emphasis  on  process  safety 
with  a  direct  relationship  to  acceleration  of  OSHA's  regula¬ 
tion,  Process  Safety  Management  of  Highly  Hazardous  Chemi¬ 
cals 
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Events  Producing  Losses  of  Function 

A  specific  loss  of  system  function  is  caused  by  a  combination  of 
one  or  more  equipment  failures  and/or  human  errors,  (in  fact, 
human  errors  are  also  the  underlying  causes  of  most  equipment 
failures.)  For  each  loss  of  system  function,  there  are  generally 
many  combinations  of  events  that  can  produce  the  perfor¬ 
mance  problem 


Combinations  of  events  prodneing  a  loss  of  function 

•  EQF#1 

•  EQF  #2,  EQF  #3 

•  HE  A,  HE  B 

•  EQF  #4,  HE  C 

•  HEA,  HEC,  HED 

•  Etc. 

Example 

A  lighting  system  has  a  single  power  supply  and  two  light  bulbs  in 
parallel.  The  entire  circuit  is  protected  by  a  single  breaker  and 
controlled  by  a  single  switch.  The  following  is  a  list  of  events 
contributing  to  a  lack  of  room  lighting: 

•  Power  supply  fails  off 

•  Wiring  failure 

•  Circuit  breaker  fails  open 

•  Switch  fails  open 

•  Operator  inadvertently  opens  switch 

•  Light  bulb  #1  fails  off;  light  bulb  #2  fails  off 

•  Operator  Incorrectly  installs  light  bulb  #1;  operator  Incor¬ 
rectly  installs  light  bulb  #2 

•  Operator  Incorrectly  installs  light  bulb  #1;  light  bulb  #2 
fails  off 

•  Light  bulb  #1  fails  off;  operator  incorrectly  installs  light 
bulb  #2 
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Stress  vs.  Strengtli  Distributions 


Lerga  ilrMt/ 
ilrengtH  difffOCT 


Equipment  Life  Periods 

An  equipment  failure  is  a  state  or  condition  in  which  a  compo¬ 
nent  no  longer  satisfies  some  aspect  of  its  design  intent. 

Equipment  failure  occurs  when  the  "stress"  on  the  component 
exceeds  the  component's  "stress  resistance."  (In  this  case, 
"stress"  refers  to  some  negative  influence,  and  "stress  resis¬ 
tance"  refers  to  the  component's  resistance  to  that  influence.) 


•  Ductile  fracture 

•  Brittle  fracture 

•  Mechanical 
fatigue 


•  Abrasive 

•  Adhesive 

•  Fretting 

•  Pitting 


•  Galvanic 

•  Uniform 

•  Stress  corrosion 
cracking 


•  Creep 

•  Metallurgical 
transformations 

•  Thermal  fatigue 
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Some  important  properties  of  metals  providing  "stress 
resistance" 


Ductility 
Toughness 
Fatigue  resistance 
Hardness 

Chemical  resistance 


The  ability  to  deform  plastically  with¬ 
out  fracturing 

The  ability  to  absorb  energy  before 
fracturing 

The  ability  to  withstand  repeated 
application  of  load  without  failing 

The  ability  to  resist  (1)  local  penetra¬ 
tion  and  (2)  wear 

The  ability  to  resist  chemically  reacting 
with  compounds  in  process  materials, 
the  environment,  and/or  other  materi¬ 
als  of  construction 


Creep  resistance  The  ability  to  resist  plastic  deformation 

under  sustained  load 
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Causes  of  Component  Failnres 

■  Faulty  design 

■  Faulty  material 

■  Improper  fabrication 

■  Incorrect  construction 

■  Misoperation 

■  Inadequate  maintenance 

Causes  of  Component  Failure 


Faulty  design 

•  Incorrect  equipment 
sizing 

•  Improper  material 
specified 

•  Weld  joints  in  regions  of 
high  stress 

•  Structural  discontinuities, 
notches,  etc. 

•  Etc. 

Faulty  material 

•  Material  chemistry  out  of 
specification 

•  Improper  heat  treatment 

•  Etc. 

Improper  fabrication 

•  Improper  materials  used 

•  Improper  welding 

•  Incorrect  machining 
tolerance 

•  Improper  stress  relief 

•  Etc. 


Incorrect  construction 

•  Improper  mounting 

•  Component  misalign¬ 
ment 

•  Improper  welding 

•  Bolts  improperly  torqued 

•  Use  of  incorrect  cleaning 
fluids 

•  Etc. 

Misoperation 

•  Improper  startup 

•  Operating  outside  safe 
design  limits 

•  Severe  service  conditions 

•  Etc. 

Inadequate  maintenance 

•  Repairs  performed 
incorrectly 

•  Unsuitable  replacement 
parts 

•  Preventive  maintenance 
not  performed 

•  Etc. 
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Relationship  of  PSFs  and 
Human  Performance 

OPTIMUM  PERFORMANCE 

O 

nauTATivEtiims 

o 

EXTERNAL  PSFs 

SITUATIONAL 

MATCH 

CHARACTERISTICS 

TASK  S  EQUIPMENT 
CHARACTERISTICS 

CO  on 

INTERNAL  PSFs 

OROAMSMIC 

FACTORS 

JOB  A  TASK 
INSTRUCTIONS 

MOMATCH 

O 

DISRUPTIVE  STRESS 

O 

SUBOPTWUM  PERFORMANCE 

Human  Error 

Human  error  is  an  intentional  or  unintentional  action  (or  inaction) 
that  is  outside  of  the  prescribed  course  of  action.  Human  error  is 
often  the  dominant  contributor  to  system  failures  and  is  generally 
the  underlying  problem  even  when  equipment  failures  play  a 
significant  role  in  system  failures. 

1  1 

System  failures  resulting  directly  from  human  errors 

Missiles  20  to  53% 

Nuclear  weapons 

28  to  82% 

Electronic  systems 

23  to  45% 

Aircraft 

60  to  90% 

Nuclear  power 

70  to  80% 

Petrochemical 

65  to  90% 

Human  performance  is  strongly  influenced  by  performance 
shaping  factors  (PSFs),  which  include  the  following: 

1  1 

External  PSFs 

Situational  characteristics 
Task/equipment  characteristics 
Job/task  instructions 

Stressor  PSFs 

Psychological  stressors 

Physiological  stressors 

Internal  PSFs 

Organismic  factors 
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Events  Producing  Losses  of  Fnnction 


Problem 

Symptoms 

Root 

Giuses 


Introduction  to  Root  Causes 
j  Root  ecrase  definition 

^  •  The  most  basic  causes  of  an  event  that 

-  can  be  reasonably  identified  and 

-  management  has  control/influence  to  fix 

*  Typically,  root  causes  are  the  absence,  neglect,  or  deficiencies 
of  management  systems  that  control  human  actions  and 
equipment  performance 
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This  diagram  illustrates  how  management  system  weaknesses  lead  to  human  errors,  equipment 
failures,  and  adverse  effects  from  external  events  that  combine  to  produce  losses.  Note  that 
each  management  system  weakness  may  influence  more  than  one  human  error,  equipment 
failure,  or  external  event. 
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Risk  Management 

Inherent  in  every  process  or  operation  are  hazards  that,  if  not 
properly  controlled,  could  cause  harm  to  the  public,  organiza¬ 
tional  personnel,  the  environment,  and  organizational  opera¬ 
tions.  To  effectively  and  properly  manage  the  risks  associated 
with  these  hazards,  management  must: 

Set  risk  management  goals  —  that  define  the  issues  of 
concern  to  the  organization  and  establish  criteria  for  accepting 
(or  reducing)  the  level  of  risk  inherent  in  its  operations 

Assess  the  risk  associated  with  operations  —  to  systemati¬ 
cally  identify  potential  operational  failures,  determine  if  such 
failures  result  in  issues  of  concern,  and  evaluate  the  likelihoods 
and/or  consequences  of  failures  that  are  of  concern.  Assess  the 
risk  of  such  failures  and  institute  additional  control  measures 
when  the  risk  is  not  acceptable 

Control  the  unacceptable  risks  —  by  revising  or  instituting 
management  systems,  redesigning  equipment  (e.g.,  adding 
redundancy),  or  minimizing  the  hazard  (e.g.,  switching  to  a 
nonflammable  solvent  for  cleaning  parts)  to  bring  the  risk  to 
an  acceptable  level 

Measure  the  performance  of  operations  —  to  determine 
whether  control  measures  in  place  are  keeping  risk  at  an 
acceptable  level.  If  the  risk  level  is  unacceptable,  management 
will  need  to  determine  if  (1)  their  risk  management  goals  are 
too  stringent,  (2)  more  detailed  assessments  are  needed  to 
identify  root  causes,  and/or  (3)  additional  controls  are  needed 
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Risk  Umbrella 

To  control  risks,  organizations  develop  an  umbrella  of  manage¬ 
ment  systems  that  protect  personnel,  the  public,  the  environ¬ 
ment,  and  equipment  from  potential  mishaps.  As  issues  of 
concern  expand  for  an  organization,  the  umbrella  of  manage¬ 
ment  systems  may  need  to  be  expanded  to  cover  these  new 
concerns.  As  risk  acceptance  goals  change,  the  "toughness"  (or 
strength  of  protection)  provided  by  the  umbrella  must  change 
to  provide  acceptable  protection.  In  other  words,  organizations 
must  establish  risk  goals  that  define  what  to  protect  and  how 
well  to  protect  it. 

The  risk  umbrella  is  not  perfect.  The  umbrella  is  not  large  enough 
to  protect  against  all  potential  mishaps.  And  the  umbrella  is  not 
thick  enough  to  prevent  all  mishaps  from  breaking  through  it. 
An  organization's  risk  goals  define  the  size  and  strength  of  its 
umbrella  of  protection. 
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Risk  Goals 

It  is  difficult  to  assess  or  control  risks  without  knowing  what  to 
aim  at  (i.e.,  having  a  target)  and  how  closely  you  hit  the  tar¬ 
get.  Thus,  the  first  element  of  risk  management  involves  estab¬ 
lishing  risk  management  goals. 

Issues  of  eoneent 

Issues  of  concern  are  consequences  that  have  a  significant 
impact  on  the  organization.  Both  the  type  of  consequence 
(personnel  safety,  equipment  damage,  public  safety,  operation 
failure,  etc.)  and  the  level  of  the  consequence  (minor,  moder¬ 
ate,  major,  etc.)  are  factors  that  management  must  weigh  in 
defining  issues  of  concern. 

Risk  aeeeptonee  criteria 

All  operations  in  a  organization  pose  some  risk,  in  order  to 
determine  whether  operations  are  adequately  controlled, 
management  must  establish  some  type  of  risk  acceptance 
criteria.  The  criteria  usually  take  the  form  of  a  likelihood  level, 
a  consequence  severity,  or  a  combination  of  these  two,  that 
should  not  be  exceeded.  A  potential  system  failure  that  results 
in  exceeding  these  criteria  generally  results  in  recommenda¬ 
tions  to  better  control  the  risks. 

Example  issues  of  concern 


Issue 

Conseauence  Tvoe 

Severity 

Safety 

Personnel  safety 

Public  safety 

Fatality  or  multiple  injury 
Multiple  injury 

Environmental 

Onsite  spill/release 

Offsite  spill/release 

Cleanup  required 
EPA  reportable 

Equipment 

Operational  outage 

Major  failure 

Delay  >  2  hours 
Repair/replacement 
>  $10,000 

Media 

Operational  failure 
Safety/environmental  issue 

National  broadcast 
Multiple-city  broadcast 
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What  can  go  iwrong? 

Systematic  hazard  analysis  methods  are  used  to  identify  system/ 
operational  failures  (due  to  equipment  failures,  human  errors, 
and/or  external  events)  that  create  issues  of  concern.  Based  on 
the  number  and  types  of  failures  that  must  occur,  an  analyst 
gains  a  good  understanding  of  the  risk  associated  vrith  an  issue 
of  concern. 

How  likely  is  it? 

Likelihood  is  usually  expressed  as  the  probability  or  frequency 
of  a  mishap  occurring.  If  the  likelihood  is  lov/  enough,  analysts 
may  dismiss  a  potential  mishap  scenario  as  not  credible,  not  of 
concern,  or  of  extremely  low  risk.  Note,  however,  that  the 
likelihood  cutoff  for  making  such  judgments  often  changes  with 
the  type  and  severity  of  consequence  associated  with  the  po¬ 
tential  mishap. 

What  are  the  impacts? 

A  mishap  can  impact  many  areas  of  concern  with  different 
degrees  of  severity.  For  example,  a  fired  heater  that  is  lit  with¬ 
out  proper  purging  could  explode,  probably  causing  major 
equipment  damage  and  personnel  injury.  However,  it  is  unlikely 
that  this  mishap  causes  environmental  damage  or  public  injury. 
The  type  and  severity  of  consequences  associated  with  a  mis¬ 
hap  scenario  help  an  analyst  to  further  understand  and  judge 
risk. 
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■  Risk  is  the  doublet  of  frequency  (F)  and 
consequence  (C),  often  expressed  as 
FxC 

■  Two  categories  of  risk 

♦  risks  that  can  be  minimized  or  eliminated 

♦  residual  risks 


Frequency 

The  frequency  of  a  mishap  scenario  is  usually  expressed  as 
events  per  year.  The  frequency  should  be  determined  from 
historical  data  if  a  significant  number  of  events  have  occurred 
in  the  past.  Usually,  however,  we  focus  on  mishaps  with  more 
severe  consequences  for  which  little  historical  data  exists.  For 
such  events,  the  mishap  frequency  is  calculated  with  basic  data 
from  industrial  databases. 

Consequence 

Consequence  is  expressed  as  the  number  of  people  affected 
(injured  or  killed),  area  affected,  outage  time,  mission  delay, 
dollars  lost,  etc.  Because  a  single  mishap  scenario  can  have  a 
range  of  consequences,  we  normally  use  categories  or  best 
estimates  to  define  the  outcome  of  a  mishap. 


Risk 


The  risk  of  a  mishap  is  calculated  as  the  product  of  the  fre¬ 
quency  and  consequence  of  the  mishap.  By  doing  this,  we  are 
able  to  compare  the  risks  of  various  operations  and  different 
mishaps  that  can  occur  within  an  operation.  However,  you 
should  also  compare  the  two  consequences  since  we  often 
judge  risk  based  on  consequence  alone. 

For  example,  suppose  mishap  #1  has  a  frequency  of  10*Vyr 
and  a  consequence  of  $10,000.  Mishap  #2  has  a  frequency  of 
10-^/yr  and  a  consequence  of  $1,000,000.  The  risk  of  either 
mishap  is  $100/yr,  but  you  might  self-insure  for  accident  #1 
and  buy  insurance  for  mishap  #2  —  different  decisions  based 
on  consequence. 
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Risk  Categories 

There  are  risks  with  any  operation.  Once  these  risks  are 
known,  we  can  take  measures  to  reduce  the  risk  (e.g.,  insulate 
hot  surfaces  to  reduce  the  chance  of  getting  burned)  or  elimi¬ 
nate  the  risk  (e.g.,  switching  to  nonflammable  cleaning  materi¬ 
als  to  eliminate  a  fire  hazard).  However,  some  known  risks  are 
accepted  as  the  "cost  of  doing  business."  These  residual  risks 
should  be  within  an  organization's  risk  acceptance  criteria. 


2rQ 
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Many  loetors  influence  our  acceptance  of  risk: 


■  Familiarity 

■  Likelihood 

■  Control 

■  Media  attention 

■  Consequence 


■  Suddenness  of 
consequence 

■  Personal  vs.  societal 

■  Benefit 

■  Dread 


Risk  Acceptance 

Many  factors  inflnence  onr  acceptance  of  risk: 

Familiarity  —  People  are  more  comfortable  and  accepting  of 
risk  when  they  are  personally  very  familiar  with  the  operation. 
(For  example,  is  a  traveler  more  fearful  of  a  bus  accident  or  a 
plane  crash?  Which  has  the  greater  risk?) 

Likelihood  —  Our  belief  in  the  likelihood  or  credibility  of  a 
mishap  influences  our  risk  acceptance. 

Control  —  We  accept  more  risk  when  we  are  personally  in 
control  because  we  trust  ourselves.  (For  example,  are  you  more 
afraid  when  you  drive  a  car  too  fast  or  when  you  are  the 
passenger  in  a  speeding  car?) 

Media  attention  —  We  fear  problems  that  we  are  aware  of 
and  that  we  perceive  are  important  and  credible.  Media  cover¬ 
age  of  issues  increases  our  awareness  and  belief  in  the  credibil¬ 
ity  of  a  problem. 

Consequence  —  Our  risk  acceptance  level  is  low  for  facilities 
that  can  have  mishaps  with  large  consequences.  For  example, 
a  severe  accident  at  a  nuclear  power  plant  could  affect  a  large 
population.  Thus,  we  build  very  few  such  plants  and  we  highly 
regulate  their  safety.  The  risk  associated  with  coal-fired  plants 
is  higher,  but  such  plants  are  not  as  regulated  by  the  govern¬ 
ment. 

Suddenness  of  consequence  —  The  sooner  we  feel  the  impact 
of  an  event,  the  less  likely  we  are  to  accept  the  risk.  (Will  you 
risk  your  life  to  save  your  car  from  a  carjacker?  Will  you  risk 
your  life  by  smoking  cigarettes  for  40  years?) 
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Personal  vs.  societal  —  We  accept  risk  that  only  affects  our¬ 
selves.  We  apply  a  higher  standard  to  protect  society. 

Benefit  —  As  the  benefit  we  derive  from  an  operation  in¬ 
creases,  we  are  more  accepting  of  the  risk.  For  example,  driv¬ 
ing  a  car  is  more  risky  than  traveling  by  plane.  Because  of 
personal  benefit,  people  are  usually  more  accepting  of  driving 
than  flying. 
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Acceptable  Risk 

■  There  is  no  practical  definition 

■  Its  perception  varies  among  industries 

■  It  is  very  hazard  specific 

■  Even  government  agencies  are  not 
consistent 

■  There  are  contemporary  comparisons 
that  can  be  made 


Acceptable  Risk 

With  the  many  different  factors  that  influence  our  ideas  and 
acceptance  of  risk,  it  is  nearly  impossible  for  us  to  define  an 
acceptable  risk  level.  Many  companies  and  the  government  have, 
directly  or  indirectly,  defined  acceptable  risk.  However,  this 
definition  has  varied  dramatically  among  industry,  government 
agencies,  and  even  hazardous  items  (e.g..  What  risk  is  accept¬ 
able  with  the  carcinogens  benzene  in  gasoline  and  asbestos  in 
public  buildings?).  Even  with  these  difficulties  in  defining 
acceptable  risk,  we  should  not  give  up  on  the  idea.  By  setting 
a  risk  standard,  organizations  can  more  easily  identify  high 
risk  operations,  allocate  resources  more  appropriately,  and 
measure  the  effectiveness  of  their  risk  reduction  efforts. 

The  following  table  is  a  summary  of  implied  risk  acceptance 
criteria  from  various  government  agencies  for  various  sub¬ 
stances.  The  numbers  listed  are  no  longer  valid,  but  do  illus¬ 
trate  that  acceptable  risk  is  difficult  to  determine. 
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□  Agency  interpretations  of  Significant  Risk 

- 

Lifetime  individual  risks  that  agencies  chose  to  regulate 


Risk 

Substance  (statute) 

4x10-1 

Arsenic  (OSHA) 

2x10-1 

Ethylene  dibromide  (OSHA) 

1  X  10-1 

Ethylene  oxide  (OSHA) 

6x10-2 

Asbestos  (OSHA) 

3  X  10-2 

Arsenic  from  primary  copper  smelting  (CAA) 

2x10-2 

Coke  oven  emissions  (CAA) 

1  X  10-2 

Methylenedianiline  (TSCA) 

1  X  10-2 

Butadiene  (TSCA) 

1  X  10-2 

Uranium  mines  (CAA) 

5  X  10-3 

Benzene  from  coke  ovens  (CAA) 

2x10-3 

Benzene  from  fugitive  emissions  (CAA) 

1  X  10-3 

Radionuclides  from  phosphate  mines  (CAA) 

8x10-1 

Arsenic  from  glass  manufacture  (CAA) 

8x10-^ 

Radionuclides  from  DOE  installations  (CAA) 

2  X  10-1 

Workers  in  coke  ovens  (OSHA) 

1  X  10-1 

Radionuclides  from  NRC  licensees  (CAA) 
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Risk  Assessment 

The  risk  assessment  process  begins  with  the  development  of 
mishap  scenarios  for  an  operation  that  can  result  in  issues  of 
concern.  Once  the  mishap  scenarios  are  known,  we  must 
determine  whether  the  risks  of  these  scenarios  are  acceptable. 
Thus,  we  must  determine  the  likelihood  and  consequence  of 
each  scenario.  The  product  of  these  two  factors,  summed  for 
all  mishap  scenarios  identified,  gives  the  risk  of  the  operation. 
With  the  risk  known,  management  can  now  initiate  actions  to 
investigate  the  risks  that  are  unacceptable  (root  cause  analysis) 
and  establish  appropriate  controls. 

Mishap  scenario  —  a  combination  of  events,  including  initiat¬ 
ing  events,  (equipment  failures,  human  errors,  external  events) 
and  failed  safeguards  (equipment  failures  and  human  errors) 
that  result  in  an  undesirable  consequence  (an  issue  of  con¬ 
cern).  Coarse  hazard  analysis  methods  are  often  used  to  sys¬ 
tematically  identify  mishap  scenarios  for  an  operation 

Likelihood  —  the  frequency  or  probability  that  a  mishap 
scenario  occurs.  This  value  is  usually  estimated  by  multiplying 
the  frequency  of  a  mishap  initiating  event  and  the  failure 
probabilities  of  safeguards  (hardware  and  administrative 
controls)  that  should  have  "stopped"  the  mishap 

Consequence  —  the  damage  associated  with  the  mishap 
scenario.  Numerous  analysis  tools  and  computer  models  are 
available  to  calculate  the  damage  caused  by  a  mishap  scenario 

Risk  —  the  product  of  mishap  scenario  frequency  and  conse¬ 
quences 

Root  cause  —  the  underlying,  basic  reason  why  a  failure 
occurred.  Using  the  risk  assessment  results,  we  focus  on  those 
failures  that  contribute  to  the  highest  risk  mishaps.  We  then 
use  structured  investigation  tools  to  find  the  root  causes  of 
these  specific  failures  and  focus  management  efforts  on  fixing 
these  root  causes 
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Influence  of  Assumptions 

1  10- 
JS 

2  10- 

& 

2 

2  10- 

I 

lO-T 

AlCDEFOHIJ 

Toams  of  QRA  Experts  t 

Influence  of  Assumptions 

In  performing  or  evaluating  risk  assessments,  you  should  pay 
careful  attention  to  any  assumptions  made  during  the  identifica¬ 
tion  of  mishap  scenarios  and  estimation  of  mishap  likelihoods 
and  consequences.  The  above  graph  shows  the  results  of  a 
benchmark  study  in  which  several  teams  of  risk  experts  calculated 
the  failure  probability  of  a  system.  All  the  experts  were  given  the 
same  system  design  and  the  same  failure  data  for  the  system 
components.  The  large  variability  in  answers  (almost  four  orders 
of  magnitude)  was  attributed  to  the  different  assumptions  the 
experts  made. 
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Risk  Characterization  Methods 

■  Quantitative 

♦  point  estimates 

♦  categorization 

■  Qualitative 

Risk  Characterization  Methods 

Risk  assessment  involves  processing  a  large  quantity  of  data. 
Often  hundreds  or  even  thousands  of  mishap  scenarios  must 
be  evaluated  to  estimate  the  risk  of  an  operation.  Thus,  an 
analyst  should  consider  the  level  of  detail  needed  in  risk  results 
in  order  to  make  decisions  prior  to  starting  the  risk  assessment 
process.  Qualitative  methods  as  well  as  coarse  and  detailed 
quantitative  methods  exist  for  characterizing  risk  results.  When 
trying  to  get  the  big  picture  and  identify  general  areas/opera¬ 
tions  where  higher  risk  exists,  qualitative  methods  may  suffice. 
When  comparing  two  competing  design  alternatives  with  differ¬ 
ent  strengths  and  weaknesses,  a  more  detailed  risk  assessment 
may  be  needed  to  see  the  impact  of  the  different  designs. 

The  following  are  examples  of  risk  assessment  results  in  four 
different  categories. 

Absolnte  frequency  estimates 

•  The  expected  frequency  of  plant  explosions  is  5  x  1 0’^  per 
year 

•  We  expect  that  four  large  toxic  releases  will  occur  during  the 
lifetime  of  this  facility 

•  The  probability  of  a  large  release  of  chlorine  sometime 
during  a  1  -year  period  is  2  x  1 0  ® 

•  The  probability  of  a  safety  system  failure  is  4  x  1 0“*  per  batch 

•  We  expect  to  see,  on  the  average,  one  small  fire  every  month 
in  this  process  building 

•  The  mean  time  between  runaway  reactions  in  this  reactor  is 
1,000  years 

Absolnte  consequence  estimates 

•  This  mishap  will  seriously  injure  50  people  because  of  blast 
overpressure  and  thermal  radiation  effects 

•  If  this  event  occurs,  we  expect  the  process  to  sustain  $2 
million  in  equipment  loss  and  3  months  of  downtime 

•  The  maximum  downwind  center  line  concentration  of  HF 
beyond  the  plant  boundary  will  be  500  ppm,  given  that  the 
release  occurs 
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•  If  the  reactor  detonates,  we  estimate  that  20  employee  fatali¬ 
ties  will  occur  and  50  members  of  the  public  will  be  hurt 

•  The  toxic  plume  is  expected  to  extend  4,000  meters  down¬ 
wind  at  concentrations  above  the  short-term  exposure  limit 
(STEL) 

•  The  results  indicate  that  2,000  people  will  be  exposed  to  a 
concentration  of  ammonia  greater  than  the  emergency 
response  planning  guideline  concentration  (e.g.,  ERPG-2) 

•  If  the  pipe  breaks,  we  expect  a  1 00-kg-per-second  release  of 
butane  into  the  diked  area 

•  The  maximum  distance  that  a  1  -psi  overpressure  will  be  felt  is 
500  meters 

Absolute  risk  estimotes 

•  The  risk  to  employees  from  this  process  is  5  x  1 0'^  expected 
fatalities  per  year 

•  The  annual  economic  risk  of  operating  this  unit  is  $1  million 
because  of  fire  and  explosion  accidents 

•  This  analysis  shows  that  less  than  1  injury  per  year  is  ex¬ 
pected,  but  the  frequency  of  injuring  1 ,000  or  more  people 
is  once  every  5,000  years 

•  We  calculate  the  frequency  of  mishap  A  as  once  every  5  years 
and  mishap  B  as  once  every  1,000  years 

•  The  total  loss  if  A  occurs  will  be  $200  million 

•  The  risk  of  A  and  B  are  the  same  —  $200,000  per  year 

Relative  risk  estimates 

•  The  risk  from  Process  A  is  about  15  times  greater  than  the 
risk  from  Process  B 

•  If  design  changes  1  and  2  are  made  and  operating  proce¬ 
dure  A  is  modified,  then  the  risk  of  operating  the  unloading 
facility  can  be  reduced  by  a  factor  of  30 

•  The  major  risk  contributor  in  this  process  is  failure  of  safety 
system  C.  Its  failure  contributes  to  50%  of  the  risk  of  this 
process 

•  The  estimated  risk  of  a  worker  fatality  during  this  operation 
is  1 ,000  times  smaller  than  the  risk  to  an  average  individual 
from  driving  a  car  to  work  once 
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Point  Estimate  Risk  Characterization 


Risk^il^  =  ^Wihop  ^  ^AMshop 
scenario  scenario  scenario 


where 


#^rt  fawig 

I  III# 


and 

F  =  frequenc/  of  occurrence 
C  =  consequence 
P  3=  probability  of  occurrence 


Point  Estimate  Risk  Characterization 

Hishap  Risk  Ccdenlalioa  (Cost  s  $10,000) 


Scenarios 

Initiating 

Event 

Failed 

Scrfeguords 

Scenario 

Frequencies 

Scenario  1 

A 

B 

C 

Vy 

X  0.1 

X  0.01 

=»  0.001/y 

Scenario  2 

D 

F 

G 

Scenario  3 

0.1/y 

E 

O.Vy 

X  0.1 

B 

X  0.1 

X  0.1 

^muhop 

=  0.001/y 

=  0.01 /y 
»  0.012/y 

Risk  s  0.012/yx  $10,000  «  $120/y 


As  you  can  see,  we  identified  three  scenarios  that  could  cause 
this  particular  mishap,  which  has  an  associated  consequence  of 
$10,000.  The  mishap  frequency  is  the  sum  of  the  scenario 
frequencies.  Knowing  the  mishap  frequency,  consequence,  and 
risk,  management  can  now  determine  if  the  mishap  risk  is 
acceptable.  If  not,  these  same  results  help  us  focus  on  where 
additional  control  efforts  may  be  needed.  The  importance  of 
safeguard  B  in  this  example  is  about  93%.  By  finding  and  fixing 
the  root  causes  of  safeguard  B's  failure,  we  can  significantly 
reduce  the  risk  of  this  mishap  and  perhaps  others. 
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Observations  —  Point  Risk  Estimate 

■  Very  precise 

■  Accuracy  depends  on  accuracy  of 
scenario  models  and  specific  likelihood/ 
consequence  data  for  each  event 

■  Very  resource  intensive  to  use  in  detailed 
studies 

■  Can  provide  all  types  of  risk-based 
information  in  a  variety  of  presentation 
formats 


Observations  About  Point  Risk  Estimates 

As  one  can  see  from  the  example,  characterizing  risk  with  point 
estimates  provides  very  precise  answers.  However,  this  "precise¬ 
ness"  can  be  misleading  because  there  are  often  large  uncer¬ 
tainties  associated  with  the  data  used  in  these  calculations.  If 
you  are  comparing  alternatives  and  the  point  estimates  of  risk 
are  close,  you  probably  should  consider  other  factors  (ease  of 
maintenance,  amount  of  operator  training  required,  etc.)  in 
making  a  selection. 

We  also  note  that  the  point  estimate  risk  method  is  resource 
intensive  and  calculation  intensive.  If  you  do  not  have  the 
people  and  skills  to  use  this  method,  alternate  risk  estimates 
should  be  used. 
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Risk  Characterization 
Using  Categorization 

■  Define  likelihood  and  consequence 
categories 

■  Establish  appropriate  risk  priorities 

■  Identify  potential  mishap  scenarios 

■  Assign  a  likelihood  and  consequence 
category 

■  Use  the  likelihood/consequence  category 
to  assign  a  risk  priority 


Risk  Characterization  Using  Categorization 

•  Define  likelihood  and  consequence  categories  for  evaluating 
scenarios 

•  Assign  appropriate  risk  acceptance  levels  to  each  likelihood/ 
consequence  combination  using  a  risk  matrix  or  numerical 
equation 

•  Identify  potential  mishap  scenarios  using  structured  hazard 
analysis  techniques 

•  Assign  a  likelihood  and  consequence  category  for  each  out¬ 
come  of  each  scenario 

•  Use  the  combination  likelihood/consequence  category  for  each 
scenario  to  assign  a  risk  acceptance  level  to  the  scenario 

The  risk  assessment  process  changes  very  little  if  risk  is  to  be 
characterized  using  categories  versus  point  estimates,  in  this 
case,  the  analyst  must  (1)  define  likelihood  and  consequence 
categories  to  be  used  in  evaluating  mishap  scenario  risk  ac¬ 
ceptability  and  (2)  define  the  level  of  risk  associated  v/ith  each 
likelihood/consequence  category  combination,  in  defining 
categories,  you  must  provide  enough  categories  so  that  mean¬ 
ingful  results  are  obtained,  but  not  so  many  categories  that 
analysis  teams  have  difficulty  assigning  category  values  to 
scenarios. 

For  example,  using  too  few  categories  may  lead  to  analysts 
assigning  all  the  mishap  scenarios  to  the  same  risk  level.  Very 
little  is  learned  in  the  risk  assessment  process  and  no  direction 
is  given  as  to  where  to  focus  management  controls.  Too  many 
categories,  on  the  other  hand,  will  consume  excessive  amounts 
of  the  analysis  team's  time  in  determining  the  "right"  category 
assignment  for  each  mishap  scenario. 
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Frequency  and  consequence  categories  can  be  developed  in  a 
qualitative  or  quantitative  manner.  Qualitative  schemes  (i.e., 
low,  medium,  high)  typically  use  qualitative  criteria  and  ex¬ 
amples  of  each  category  to  ensure  consistent  event  classifica¬ 
tion.  Multiple  consequence  classification  criteria  may  be 
required  to  address  safety,  environmental,  operability,  and 
other  types  of  consequences.  The  following  tables  are  the  basis 
for  a  scenario-based  risk  categorization  system  used  in  the 
hydrocarbon  processing  industry. 


Example  criteria  for  safety  conseqnenees 


Consequence 

Consequence 

Low 

A  toxic  chemical  release  is  expected  to  move  into  the  surrounding 
environment  in  negligible  concentrations.  Injuries  and  illnesses  are 
unlikely  unless  the  exposure  is  over  an  extended  period  of  time,  and 
the  injuries  and  illnesses  would  likely  be  limited  to  first  aid  cases 

Low  to  Medium 

A  toxic  chemical  release  is  expected  to  move  into  the  surrounding 
environment  in  concentrations  suffident  to  cause  injuries  and 
illnesses  unless  prompt  corrective  action  is  taken.  Should  injuries  and 
illnesses  occur,  some  recordable  cases  could  be  expected 

If  hydrocarbon  is  released,  the  release  rate  is  such  that  a  moderate 
amount  of  hydrocarbon  (in  the  range  of  a  few  hundred  pounds)  would 
be  released  in  a  few  minutes.  Should  ignition  occur  and  result  in  an 
explosion  or  fire,  some  personnel  may  have  recordable  injuries 

Medium  to  High 

A  toxic  chemical  release  is  expected  to  move  into  the  surrounding 
environment  in  concentrations  that  could  result  in  injuries  and 

Illnesses  to  people  inside  and  outside  the  facility 

If  hydrocarbon  is  released,  the  release  rate  is  such  that  a  significant 
amount  of  hydrocarbon  (in  the  range  of  2,000  to  10,000  pounds) 
would  be  released  in  a  few  minutes.  Should  ignition  occur  and  result 
in  an  explosion  or  fire,  some  personnel  may  be  seriously  injured 

High 

A  toxic  chemical  release  is  expected  to  move  into  the  surrounding 
environment  in  concentrations  that  are  life  threatening.  A  large 
number  of  people  inside  and  outside  the  facility  are  likely  to  be 
seriously  injured  or  become  seriously  ill 

If  hydrocarbon  is  released,  the  release  rate  is  such  that  more  than 
10,000  pounds  of  hydrocarbon  is  released  in  a  few  minutes,  forming  a 
vapor  cloud  that,  if  Ignited,  could  result  in  a  major  explosion  and  fire 
with  serious  injuries  to  personnel 
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Example  criteria  for  likelihood 


Likelihood* 

Consequence 

Low 

The  accident  scenario  is  considered  highly  unlikely.  The  probability  is 
very  low  (<  3%) 

Low  to  Medium 

The  accident  scenario  is  considered  unlikely.  It  could  happen,  but  it 
would  be  surprising  if  it  did.  The  probability  is  low  (in  the  range  of  3  to 
30%) 

Medium  to  High 

The  accident  scenario  might  occur.  It  would  not  be  too  surprising  If  it 
did.  The  probability  is  in  the  range  of  30  to  90% 

High 

The  accident  scenario  has  occurred  in  the  past  and/or  is  expected  to 
occur  in  the  future.  The  probability  is  greater  than  90% 

^Likelihood  assessments  are  for  the  remaining  life  of  the  unit,  assuming  normal  maintenance  and 
repair 


Example  risk  matrix 


o 

u 

c 


3 

o 

o 

O 

«•- 

o 
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High 

Med. 

to 

High 

Low 
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Med. 
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U 

A 

A 

U 

U 

A 

A 

M 

U 

A 

A 

A 

M 

Low  Low  Med.  High 


A  »  acceptable 
M  =  marginal 
U  3  unacceptable 


to  to 

Med.  High 

Severity  of  Consequence 
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Summary  table  of  scenarios,  risk,  and  recommendations 


Ref. 

No.  Scenarios  Considered 


Hydrocarbon 
contamination  of  the 
cooling  water  system 


Risk  Associated  with  Scenario 
Likelihood/Consequence 


Light  materia)  in  the 
bottoms  stream  from  the 
debutanizer  column 


Relief  valves  open  on  the 
upper  column  because  of 
water  carry-over  from  the 
desalters 


High  temperature  in  the 
regenerator,  the 
regenerator  overhead  lines 
from  the  top  of  the 
regenerator  to  the 
secondary  cyclones,  and 
the  CO  (80-inch  duct)  line 
from  the  secondary 
cyclones  to  the  CO  heater 


Before 

After 

Unacceptable 

Acceptable 

Frequency:  MH 

Frequency:  L 

Consequence: 

MH 

Consequence: 

MH 

Unacceptable 

Acceptable 

Frequency:  LM 

Frequency:  L 

Consequence: 

MH 

Consequence: 

MH 

Marginal 

Acceptable 

Frequency:  H 

Frequency:  LM 

Consequence: 

LM 

Consequence: 

LM 

Unacceptable 

Marginal 

Frequency:  H 

Frequency:  LM 

Consequence: 

MH 

Consequence: 

MH 

Scenarios  Considered 


Ensure  that  the  debutanizer  bottoms 
coolers,  the  debutanizer  tops  condensers, 
the  lean  oil  cooler,  the  depropanizer  tops 
condensers,  and  the  sponge  oil  cooler  are 
classified  as  dass  A  exchangers  for 
inspection  purposes 

Replace  the  tube  bundles  In  these 
exchangers  with  stainless  steel  bundles 


Review  and  if  necessary  upgrade  the 
overpressure  protection  on  the 
deisohexanizers  and  the  gasoline  treaters 

Install  a  shutoff  valve  in  the  lean  oil  line  to 
the  hydrogen  absorber;  the  valve  should 
automatically  dose  on  low  flow  in  the  line 


Continue  with  present  program  to  prevent 
bottom  sediment  and  water  from  entering 
the  unit  Induding  the  planned  installation 
of  the  on-line  water  analyzers 

Install  more  reliable  indications  of  a  loss 
of  mixer  function  at  the  crude  storage 
tank 


Install  a  low  catalyst  level  alarm  on  the 
regenerator  and  install  a  switch  that  will 
dose  the  regenerated  catalyst  slide 
valves  on  low-low  regenerator  catalyst 
level 

Install  an  atitomatic  switch  to  stop  the 
flow  of  torch  oil  to  the  regenerator  during 
a  feed  diversion 

Install  instrumentation  to  automatically 
stop  the  slurry  to  the  reactor  risers 

Use  condensate  instead  of  sour  water  for 
the  norma)  and  emergency  sprays  In  the 
regenerator  and  the  regenerator  overhead 
lines 
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The  qualitative  scheme  shown  above  can  easily  be  converted  to 
a  quantitative  scheme  by  assigning  numerical  values  to  each 
category  in  the  classification  criteria  and  risk  matrix.  This 
approach  allows  the  same  criteria  and  matrix  to  be  used  for 
qualitative  and  quantitative  analyses. 

In  developing  quantitative  frequency  and  consequence  catego¬ 
ries,  it  is  a  good  idea  to  let  the  size  of  the  categories  change 
proportionately.  For  example,  if  the  frequency  categories 
change  by  factors  of  1 0,  then  the  consequence  categories 
should  also  change  by  factors  of  10.  Since  risk  is  the  product  of 
these  two  factors,  keeping  the  category  changes  proportional 
will  help  keep  risk  estimates  proportionally  consistent. 

The  next  five  figures  depict  common  frequency  and  probability 
ranges  for  numerous  types  of  equipment  failures,  human 
errors,  etc.  These  can  be  used  to  assist  in  the  development  of 
qualitative  and  quantitative  risk  categories. 
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Common  Loss  of  Containment  Events 


1000* 


Manoging  Risk 


Probability  of  Failing  on  Demand 
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Common  Events  Involving  Equipment  Failures  of  Active  Components 


ManagingJUsk 


Probability  of  Failing  on  Demand 


M 


e 

S 


a  mm 

P 

2  a 
S  e 
aU 

S  « 


I  ^  ^ 

a  mil 

E  e  d  ^  » 


♦ 

o 

o 


’ll 

o 

o 


* 

o 


5? 


s? 


SS  m 

B  S 

O  s 

fa 


I  «§ 

I  i  1 1  « 

b  I  ^  ?|-2  1-2 

1  ^  t  |.§ 
I  I  <3  111  ll 

«  ti  ^  u  'tl  V 


S33u3nBq3  0001  °I  wnijB^  jo  3DUBq3 


2-26 


Coast  Guard  IRA  Manual 


Commoii  Human  Error  Probabilities 
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Common  External  Event  Frequencies 


Observations  —  Risk  Ckaraeterization 
Using  Categorization 

n  Less  precise  than  quantitative 
characteristics 

n  Accuracy  is  dependent  on  several  factors 
n  Generally  very  efficient  to  apply 
n  Often  an  excellent  screening  approach 
n  Results  are  often  very  subjective 
n  Can  provide  most  types  of  risk-based 
information 


Observations  About  Risk  Characterization  Using 
Categorization 

•  Less  precise  than  quantitative  characteristics 

•  Accuracy  depends  on 

-  accuracy  of  scenario  models 

-  judgment/experience  of  those  assigning  scores  for  sce¬ 
narios 

-  quality  of  available  scenario  data 

•  Very  efficient  to  apply,  but  some  perspective  about  quantita¬ 
tive  likelihood/consequences  is  necessary 

•  Often  an  excellent  screening  approach 

•  Results  are  often  very  subjective,  especially  for  rare  scenarios 

•  Can  provide  most  types  of  risk-based  information 

While  the  risk  categorization  method  is  less  precise  than  the 
point  estimate  method,  it  provides  an  excellent  way  to  identify 
higher  risk  activities/operations.  This  method  is  also  less  re¬ 
source  intensive  and  much  more  efficient  when  many  mishap 
scenarios  must  be  evaluated.  The  difficulty  encountered  in 
using  this  approach  is  the  subjective  nature  in  assigning  cat¬ 
egories.  Analysts  often  find  it  is  hard  to  pick  an  appropriate 
frequency  category  for  a  very  rare  mishap  scenario  or  an 
appropriate  consequence  category  when  a  mishap  scenario  has 
a  wide  range  of  outcomes. 

Another  limitation  of  this  method  is  in  estimating  total  risk  for 
a  mishap.  Mishap  risk  is  estimated  by  summing  the  risk  for  all 
the  contributing  mishap  scenarios.  However,  how  do  you  add 
risk  categories? 
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Qnalitaiive  Risk  Charaeterizatioii 

■  Subjective  prioritization 

■  Basic  scenario  ranking 

■  Criteria-based  scenario  ranking 


Qualitative  Risk  Characterization 

As  you  would  expect,  qualitative  methods  are  easier  and  faster 
to  use  in  characterizing  risk  than  quantitative  methods.  And 
these  methods  generally  require  less  experience  and  expertise 
among  analysis  team  members  to  use  in  characterizing  sce¬ 
nario  risk. 

Subjective  prioritization  —  an  analysis  team  assigns  mishap 
scenario  risk  (i.e.,  priority)  based  on  its  collective  judgment  of 
the  likelihood  and  severity  of  the  failures  involved  in  the  sce¬ 
nario 

Basic  scenario  ranking  —  an  analysis  team  assigns  points  to 
each  failure  in  a  mishap  scenario  based  on  the  type  of  each 
failure.  The  points  are  summed  to  get  the  scenario  risk.  Higher 
scores  indicate  lower  risks  because  more  failures  and/or  fail¬ 
ures  of  more  reliable  safeguards  are  required  to  complete  the 
sequence 

Criteria-based  scenario  ranking  —  an  analysis  team  deter¬ 
mines  if  mishap  scenario  risk  is  acceptable  or  unacceptable 
based  on  the  number  and  type  of  failures  described  in  the 
mishap  scenario.  Scenarios  with  unacceptable  risks  are  subject 
to  further  control  measures. 
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Snbjeetive  Prioritizaiioii 

■  Identify  potential  mishap  scenarios  using 
structured  hazard  analysis  techniques 

■  Subjectively  bin  scenarios  according  to 
their  perceived  level  of  risk 


Subjective  Prioritization 

Identify  potential  mishap  scenarios  using  structured  hazard 
analysis  techniques  (e.g.,  HAZOf^  FMEA,  and  CCFA,  described 
in  Section  3) 

Subjectively  assign  each  scenario  to  a  priority  category  based 
on  the  perceived  level  of  risk.  Priority  categories  can  be 

-  low;  medium,  high 

-  numerical  assignments 

-  priority  levels 

Application  to  20  scenarios 

■  Priority  1  Scenarios  3,  7,  1 5 

■  Priority  2  Scenarios  1,5,16,  18,  19 

■  Priority  3  ■1^  Scenarios  2,  4,  6,  8,  9,  1 0, 

11,12,13,14, 

17,20 

As  you  can  see  from  the  simple  example,  this  risk  characterize 
tion  process  is  very  easy  to  use  and  highly  dependent  on  the 
analyst's  perceptions  of  risk.  This  method  also  provides  limited 
direction  to  management  on  where  to  focus  control  efforts. 

Observations  about  subjective  prioritization 

•  Very  subjective 

•  Provides  only  general  prioritization  of  scenarios 

•  Very  efficient  to  implement 
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Basie  Scenario  Ranking 

■  Identify  potential  mishap  scenarios 

■  Score  scenarios  based  on  types/numbers 
of  events 

■  Prioritize  based  on  scores 


Basic  Scenario  Ranking 

•  Identify  potential  mishap  scenarios  using  structured  hazard 
analysis  techniques 

•  Score  scenarios  based  on  types/numbers  of  events  in  each 
scenario 

-  human  errors 

-  active  equipment  failures 

-  passive  equipment  failures 

■  Use  scenario  scores  to  prioritize  scenarios 

Example  scoring  guidelines 

•  1  point  for  any  event  (operating  conditions,  environmental 
conditions,  human  actions,  equipment  actions,  etc.)  expected 
to  occur  regularly  (EE) 

•  2  points  for  each  human  error  (HE) 

•  3  points  for  each  active  equipment  failure  (AEF) 

•  4  points  for  each  infrequent  external  event  (lEE) 

•  5  points  for  each  passive  equipment  failure  (PEP) 

The  table  on  the  next  page  presents  a  set  of  accident  scenarios 
that  v/ere  evaluated  using  a  scenario  ranking  methodology. 
Note  that  in  this  example,  the  scenario  that  is  ranked  highest 
doesn't  have  the  lowest  score.  This  is  because  of  the  strong 
dependencies  among  the  human  errors  associated  with  the 
highest  ranked  scenario.  Common-cause  failures  can  be  diffi¬ 
cult  to  explicitly  factor  into  qualitative  risk-based  schemes. 


Coast  Guard  IRA  Manual 


2-31 


Some  ranked  accident  scenarios  lor  catastrophic  mptnre  of 
vessel  "A" 


Rank 

Accident  Scenario 

Types  of 
Events 

Score  Based 
on  Types  and 
Numbers  of 
Events 

r 

Operator  leaves  Valve  "A"  open,  operator  leaves  Valve 
"B"  open,  and  operator  fails  to  verify  that  Valves  "A"  and 
"6**  are  closed  before  introducing  hazardous  material 
into  the  process 

HE,  HE,  HE 

6 

2 

Major  earthquake 

lEE 

4 

3 

Mechanic  improperly  calibrates  the  relief  valve  on 

Vessel  "A."  and  pressure  control  valve  for  Vessel  "A** 
sticks  closed 

HE,  AEF 

5 

4 

Catastrophic  rupture  of  Vessel  "A" 

PEF 

5 

5 

Operator  fails  to  open  the  isolation  valve  under  the  relief 
valve  on  Vessel  "A"  (after  maintenance  of  the  relief 
valve),  operator  fails  to  detect  improperly  positioned 
valve  during  monthly  status  checks  of  special  valves. 
Operator  inadvertently  misdirects  a  high-pressure  feed 
stream  into  Vessel  *'A."  and  operator  falls  to  detect/ 
mitigate  rising  pressure  (based  on  other  pressure 
indications) 

HE.  HE,  HE, 
HE 

8 

6 

Operator  fails  to  open  the  isolation  valve  under  the  relief 
valve  on  Vessel  "A"  (after  maintenance  of  the  relief 
valve),  operator  fails  to  detect  improperly  positioned 
valve  during  monthly  status  checks  of  special  valves, 
pressure  controller  erroneously  commands  pressure 
control  for  Vessel  "A"  to  close,  and  operator  fails  to 
detect/mitigate  rising  pressure  (based  on  other  pressure 
indications) 

HE.  HE. 

AEF.  HE 

9 

*This  scenario  is  ranked  as  more  important  than  three  other  scenarios  with  lower  scores  because 
the  analyst  identified  strong  dependencies  among  the  three  human  errors  associated  with  this 
scenario. 


Observations 

•  Less  subjective  than  judgment-based  approaches 

•  Provides  only  general  prioritization  of  scenarios 

•  Basis  of  scoring  has  inherent  limitations/inaccuracies 

•  Efficient  to  implement 

•  Good  screening  tool 

The  basic  scenario  ranking  method  avoids  much  of  the  subjec¬ 
tivity  contained  in  the  previous  method.  After  scores  are  as¬ 
signed  to  each  failure  in  a  mishap  scenario,  the  values  are 
totaled  to  yield  a  scenario  risk  score.  Similarly,  the  risk  scores 
for  all  scenarios  that  have  the  same  outcome  can  be  totaled  to 
estimate  a  mishap  risk.  Thus,  this  method  allows  analysts  to 
screen  various  types  of  mishaps  as  well  as  scenarios  that  con¬ 
tribute  to  mishaps. 
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Criteria-based  Scenario  Evaluation 

■  Establish  criteria  for  accepting  risks 

■  Identify  potential  mishap  scenarios 

■  Compare  scenarios  to  criteria 

■  Generate  recommendations 


Criteria-based  Scenario  Evaluation 

•  Establish  pass/fail  criteria  for  accepting  risks  based  on  the 
types  and  numbers  of  events  in  scenarios 

•  Identify  potential  mishap  scenarios  using  structured  hazard 
analysis  techniques 

•  Compare  identified  scenarios  to  criteria 

•  Generate  recommendations  to  address  scenarios  that  do  not 
meet  acceptance  criteria 
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Example  eriterio 


The  following  table  provides  examples  of  pass/fail  criteria  that 
can  be  used  in  a  criteria-based  assessment  scheme. 


Type  of  Criteria 

Examples 

Number  of  safeguards  that  must  fail  before 
a  specific  consequence  of  interest  occurs 
(i.e.,  the  number  of  events  in  each 
scenario) 

There  may  not  be  any  one-event  scenarios 
capable  of  causing  a  major  explosion  on  a 
platform 

Two  safeguards  must  be  in  place  to 
prevent  a  release  of  HjS  from  entering  the 
platform's  living  quarters 

Types  of  safeguards  that  must  fail  before  a 
specific  consequence  of  interest  occurs 
(i.e.,  the  types  of  events  in  each  scenario) 

There  may  not  be  a  situation  in  which  a 
high  pressure  excursion  in  a  pipeline  could 
occur  without  at  least  one  equipment 
feilure  in  addition  to  the  equipment  failure/ 
human  error  that  initiated  the  high  pressure 
(i.e.,  no  complete  dependence  on  human 
response  to  the  upset  condition) 

An  active  and  a  passive  (or  two  passive) 
equipment  protection  are  required  for  any 
scenario  capable  of  causing  a  catastrophic 
consequence 

Combinations  of  the  number  and  types  of 
safeguards  that  must  fail  before  a  specific 
consequence  of  interest  occurs  (i  e-i  the 
numbers  and  types  of  events  in  each 
scenario) 

Single-event  scenarios  are  only  acceptable 
if  the  event  Is  a  passive  equipment  failure 
and  the  worst-case  effect  would  not  be 
catastrophic 

Scenarios  involving  multiple  passive 
equipment  failures  are  considered 
practically  impossible  unless  there  is  some 
dependency  (i.e.,  common  cause)  between 
the  failures 
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Example  of  scenario  evaluation 

This  table  presents  some  mishap  scenarios  evaluated  against 
preestablished  criteria.  Recommendations  are  made  when  the 
evaluation  criteria  are  not  met. 


Item 

Mishap  Scenario 

Types  of 
Events 

Acceptable? 

Recommendation 

1 

Operator  leaves  Valve  "A**  open, 
operator  leaves  Valve  "B"  open,  and 
operator  fails  to  verify  that  Valves  "A" 
and  "B**  are  closed  before  introducing 
hazardous  material  into  the  process 

HE,  HE,  HE 

No 

Needs  equipment 
protection 

2 

Major  earthquake 

lEE 

Yes 

! 

None 

3 

;  Mechanic  improperly  calibrates  the 
relief  valve  on  Vessel  "A,"  and 
pressure  control  valve  for  Vessel  "A" 
sticks  closed 

HE.  AEF 

Yes 

None 

a 

Catastrophic  rupture  of  Vessel  "A" 

PEF 

Yes 

None 

5 

Operator  fails  to  open  the  isolation 
valve  under  the  relief  valve  on  Vessel 
“A"  (after  maintenance  of  the  relief 
valve),  operator  fails  to  detect 
improperly  positioned  valve  during 
monthly  status  checks  of  special 
valves,  operator  inadvertently 
misdirects  a  high-pressure  feed 
stream  into  Vessel  "A,**  and  operator 
fails  to  detect/mitigate  rising  pressure 
(based  on  other  pressure  indications) 

HE,  HE,  HE. 
HE 

No 

Needs  equipment 
protection 

6 

Operator  fails  to  open  the  isolation 
valve  under  the  relief  valve  on  Vessel 
“A**  (after  maintenance  of  the  relief 
valve),  operator  fails  to  detect 
improperly  positioned  valve  during 
monthly  status  checks  of  special 
valves,  pressure  controller  erroneously 
commands  pressure  control  for  Vessel 
"A**  to  dose,  and  operator  fails  to 
detect/mitigate  rising  pressure  (based 
on  other  pressure  indications) 

HE.  HE. 

AEF.  HE 

Yes 

None 

Observations 

•  Determine  criteria  and  risk  judgments 

•  Basis  of  criteria  has  inherent  limitations/inaccuracies 

•  Efficient  to  implement 

•  Good  screening  tool 

As  you  can  see,  the  criteria-based  ranking  is  a  derivative  of  the 
basic  scenario  ranking  method.  The  two  key  differences  are 
that  numerical  scores  are  not  used  and  the  scenario  risk  results 
are  binary  (i.e.,  pass  or  fail).  Specific  recommendations  are 
made  based  on  deviations  from  the  acceptance  criteria.  The 
criteria  for  establishing  acceptability  of  scenario  risk  may  be 
subjectively  determined  by  the  risk  analyst  or  may  be  arrived  at 
using  the  numerical  scoring  described  in  the  scenario  ranking 
method. 
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Minimize 

hazards 


Redesign 


Blanage 
people  and 
eqnlpmenl 


Risk  goals  and  risk  assessment  results  provide  information  on 
Nvhere  the  most  significant  risks  exist.  The  final  step  in  the  risk 
management  process  is  the  application  of  controls  to  ensure 
that  all  risks  are  at  an  acceptable  level.  Management  can 
control  risks  by: 

Minimizing  hazards  —  Hazards  are  inherent  characteristics 
of  a  process  or  operation  that  present  a  threat  to  worker 
safety,  the  environment,  or  operation  viability  when  failures  or 
errors  occur.  By  minimizing  or  eliminating  the  hazard,  the  risk 
associated  with  the  hazard  is  minimized  or  eliminated. 

For  example,  an  ammonia  refrigeration  system  has  a  toxic 
hazard  associated  with  it.  If  a  cooling  coil  leaks,  worker  safety 
is  threatened.  Switching  the  coolant  to  freon  greatly  reduces 
the  safety  hazard,  but  increases  the  environmental  hazard. 
Switching  to  chilled  water  may  eliminate  the  hazard. 

Management  —  The  control  of  risk  is  also  achieved  through 
the  proper  management  of  people  and  equipment.  Personnel 
training;  operating  procedures;  safe  work  practices;  inspection; 
test,  and  maintenance  procedures;  quality  assurance  and 
quality  control;  and  personal  protective  equipment  require¬ 
ments  are  just  some  of  the  management  systems  we  use  to 
control  risk.  Enhancing  the  effectiveness  of  existing  systems  or 
adding  new  ones  may  further  reduce  risk. 

Redesign  —  The  addition  of  new  equipment  or  reconfigura¬ 
tion  of  existing  equipment  is  another  option  we  can  use  to  con¬ 
trol  risk.  For  example,  if  the  risk  of  an  ammonia  release  from 
the  refrigeration  system  is  too  high,  we  may  add  ammonia  gas 
detectors  and  alarms  to  threatened  work  areas  to  help  protect 
workers.  Or  we  may  identify  external  valve  packing  leakage  as 
the  major  cause  of  ammonia  releases  and  redesign  the  valves 
to  have  no  packing  (e.g.,  diaphragm  valves). 
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Section  3 

Overview  of  Common  Hazard/ 
Risk  Analysis  Methodologies 


Otrerview  of  Methodologies 


Introduction 


Hozord/IUsk  Analysis 

B  Numerous  hazard/risk  analysis  tools 
exist;  however,  the  following  features  are 
common  to  most  such  tools: 

♦  structured 

♦  predictive 

♦  experience  based 

♦  adaptive 


Structured 

Each  hazard/risk  analysis  tool  has  some  underlying  structure 
intended  to  facilitate  a  thorough  examination  of  potential  prob¬ 
lems  for  which  the  tool  is  being  applied.  Some  tools  have  very 
rigid  structures,  while  others  are  more  flexible.  Typically,  more 
highly  structured  tools  provide  a  more  complete  evaluation,  but 
often  require  much  more  analysis  effort  than  less  structured  tools. 
Although  less  structured  analysis  tools  generally  demand  less  skill 
to  apply,  they  require  more  input  from  subject  matter  experts  to 
compensate  for  issues  that  the  basic  nature  of  the  analysis  pro¬ 
cess  might  overlook. 

Predictive 

Although  some  hazard/risk  analysis  tools  can  be  valuable  for 
investigating  mishaps  that  do  occur,  the  principal  use  of  such 
tools  is  to  characterize  the  potential  for  future  mishaps.  Thus, 
hazard/risk  analysis  is  generally  a  prediction  about  what  is  ex¬ 
pected  in  the  future.  As  with  any  forecast  of  the  future,  a  mishap 
prediction  has  significant  uncertainty  and  can  be  represented  only 
as  a  "degree  of  belief."  The  certainty  (or  uncertainty)  associated 
with  mishap  predictions  creates  a  constant  tension  between: 

1 .  the  cost  of  providing  greater  certainty  and 

2.  the  value  of  more  certain  estimates  to  decision  makers. 
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Experience  Based 

Hazard/risk  analyses  are  predictive  in  nature,  but  do  not  ig> 
nore  the  past.  Some  of  the  best  information  about  possible 
future  mishaps  is  based  on  information  about  the  types,  fre¬ 
quencies,  and  severities  of  past  mishaps  in  the  same  or  other 
related  operations/applications.  Hazard/risk  analyses  use  this 
information  (as  well  as  information  about  corrective  actions 
that  have  already  been  implemented  to  address  past  mishaps) 
to  develop  perspective  about  expected  future  performance. 
Hazard/risk  analysis  tools  incorporate  this  type  of  information 
from  many  sources,  including  objective  records  (equipment 
files,  maintenance  records,  electronic  databases,  manufacturer 
information,  etc.)  and  subjective  opinions  of  subject  matter 
experts  (experienced  engineers,  operators,  and  technicians  as 
well  as  vendor  representatives  and  others). 

Adaptive 

Most  hazard/risk  analysis  tools  can  be  applied  at  various  levels 
of  detail  (i.e.,  can  be  applied  at  very  high  or  low  levels  of 
resolution)  and  to  many  types  of  systems/processes.  This  adap¬ 
tive  nature  makes  most  hazard/risk  analysis  tools  very  flexible. 
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Information  Available 
from  Hazard/Risk  Analysis 

■  Qualitative  mishap  descriptions 

■  Qualitative  judgments  about  expected 
mishaps 

■  Quantitative  measures  of  loss 
prevention- related  "factors  of  merit" 

■  Relative  importance  of  mishap 
contributors 

■  Recommendations  for  improvement 


The  format  of  outputs  from  various  hazard/risk  analysis  tools  are 
quite  distinct,  but  can  be  divided  into  the  following  categories; 

Qualitative  mishap  descriptions.  Descriptions  of  sequences 
of  events  (equipment  failures,  human  errors,  and  external 
influences)  capable  of  producing  mishaps  of  interest. 

Qualitative  judgments  about  expected  mishaps.  Subjective 
judgments  (i.e.,  informed  opinions)  about  whether  the  threat  of 
possible  mishaps  is  significant  enough  to  prevent  achievement  of 
loss  prevention  goals/objectives.  Frequently  based  on  the  num¬ 
bers  of  events  (single  failures/errors  versus  multiple  event  sce¬ 
narios)  and  types  of  events  (active  equipment  failures,  passive 
equipment  failures,  errors  of  omission,  errors  of  commission,  etc.) 
leading  to  mishaps.  Often  evaluated  in  relation  to  established 
benchmarks  for  which  acceptance/rejection  decisions  have  al¬ 
ready  been  made  (e.g.,  this  scenario  is  less  likely  than  another 
scenario  for  which  no  improvements  were  suggested). 

Quantitative  measures  of  loss  prevention-related  "factors 
of  merit."  Quantitative  estimates  of  loss  prevention-related 
parameters  such  as  reliability,  availability,  environmental  risk, 
personnel/public  risk,  economic  risk,  etc.  Used  to  judge  whether 
the  threat  of  possible  mishaps  is  significant  enough  to  prevent 
achievement  of  numerical  loss  prevention  goals/objectives  (e.g., 
the  system  is  expected  to  be  available  97%  of  the  time,  which 
exceeds  the  goal  of  95%  availability).  Sometimes  includes  evalua¬ 
tions  ("what-if"  scenarios)  of  sensitivity  to  changes  such  as  imple¬ 
mentation  of  recommendations,  changes  in  operating  conditions/ 
strategies,  etc. 
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Relative  importance  of  mishap  contributors.  Identification 
of  the  most  significant  potential  mishaps  based  upon  the  likeli¬ 
hood  and/or  consequences  of  those  mishaps.  Prioritizations  by 
scenarios  and/or  specific  failures/errors. 

Recommendations  for  improvement.  Suggestions  for  improv¬ 
ing  loss  prevention  performance.  Include  suggestions  for  new/ 
improved  engineered  systems,  administrative/management 
controls,  and  items  for  further  evaluation.  These  recommenda¬ 
tions  may  decrease  the  likelihood  of  a  mishap  and/or  the  conse¬ 
quences  of  a  mishap. 
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A  life  Cycle  Approoch  to 
Performing  Hazard/Risk  Analysis 


■  Research 

■  Design 

♦  conceptual 

♦  preliminary 
4  detailed 

B  Fabrication/ 
construction/ 
manufacturing 


B  Operation 

♦  startup 

♦  ongoing 

B  Decommissioning 


Research 

Analysis  focus  on  assessing  inherent  safety  and  reliability  of 
certain  technologies.  Primarily  interested  in  technical  models 
("physics  of  failure")  of  how  failures  occur  over  time,  number  of 
demands,  number  of  cycles,  etc.  Also  interested  in  key  param¬ 
eters  that  must  be  controlled  in  design,  manufacturing,  and 
operation  to  translate  research  technology  into  viable  applica¬ 
tions. 


Design 

Analysis  focus  on  ensuring  that  the  selected  configuration/operat¬ 
ing  strategy  will  provide  the  necessary  loss  prevention  perfor¬ 
mance  to  meet  overall  performance  goals/objectives.  Keenly 
interested  in  identifying  "weak  links"  and  opportunities  for  im¬ 
provements  in  components  and  systems. 

Coneeptaal  phose 

Analysis  focus  on  determining  how  overall  performance  goals/ 
objectives  translate  into  goals/objectives  for  individual  systems. 
Assessment  (at  a  high  level)  of  whether  required  loss  prevention 
performance  is  realistically  achievable  and  what  modifications/ 
improvements  would  be  necessary  to  meet  overall  goals/objec¬ 
tives.  Comparison  of  various  design  concepts  to  determine  which 
option(s)  deserves  further  development  based  on  a  variety  of 
factors,  including  project  risk  and  expected  life  cycle  costs  (such  as 
the  cost  of  mishaps  and  their  prevention). 
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Preliminary  phase 

Analysis  focus  on  determining  how  individual  system  goals/ 
objectives  translate  into  component  goals/objectives.  Assessment 
(at  a  more  detailed  level)  of  whether  required  loss  prevention 
performance  is  realistically  achievable  and  what  modifications/ 
improvements  would  be  necessary  to  meet  system  goals/objec> 
tives.  Optimization  of  expected  system  performance  characteris¬ 
tics  based  on  a  number  of  factors  (including  costs,  loss  of  mission, 
risk,  etc.). 

Detailed  phase 

Analysis  focus  on  ensuring  that  component  selection  and  configu¬ 
ration  allows  systems  to  meet  individual  component  goals/objec¬ 
tives.  Assessment  (at  a  component  level)  of  whether  required  loss 
prevention  performance  is  realistically  achievable  and  what 
modifications/improvements  would  be  necessary  to  meet  compo¬ 
nent  goals/objectives.  Optimization  of  component  selection  based 
on  a  number  of  factors  (including  costs,  loss  of  mission,  risk,  etc.). 
Also  interested  In: 

1 .  critical  parameters  for  safe  and  reliable  fabrication/construc¬ 
tion/  manufacturing, 

2.  important  operating  limits  and  startup  criteria, 

3.  appropriate  preventive/predictive  maintenance  tasks,  and 

4.  necessary  spare  parts/materials  stores. 

Fabrication/Construction/Manufacturing 

Analysis  focus  on  ensuring  that  established  specifications  have 
been  satisfied  and  identifying  any  special  fabrication/construc¬ 
tion/manufacturing  issues  not  identified  during  design  that  could 
affect  loss  prevention  performance.  Assessment  of  the  potential 
significance  of  any  identified  field  nonconformances  as  well  as 
any  proposed  changes  during  fabrication/construction/manufac¬ 
turing. 

Operation 

Analysis  focus  on  optimization  of  operating/maintenance/supply 
strategies  while  achieving  loss  prevention  goals/objectives. 

Startup 

Analysis  focus  on  ensuring  that  operating/maintenance  strategies 
(including  plans,  procedures,  and  training)  promote  realization  of 
inherent  safety  and  reliability  and  are  optimized  based  on  a 
variety  of  factors  (including  costs,  loss  of  mission,  risk,  etc.). 
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Ongoing 

Analysis  focus  on  ensuring  that: 

1 .  changes  (planned,  unplanned,  and  unintentional)  do  not 
significantly  affect  loss  prevention  performance  and 

2.  operating/maintenance  strategies  remain  optimized  based  on 
a  variety  of  factors  (including  costs,  loss  of  mission,  risk,  etc.), 
especially  in  light  of  data  that  will  become  available  over  years 
of  operation. 

Decommissioning 

Analysis  focus  on  liability  issues  associated  with  decommissioning 
(e.g.,  safety,  health,  and  environmental  risks)  and  what  actions  to 
take  to  control  those  risks  to  acceptable  levels. 
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Overview  of  Common  Ancdysis  Tools 


■  Hazard  screening  analysis  tools 

■  Broadly  applicable,  detailed  analysis 
tools 

■  Narrowly  focused,  detailed  analysis  tools 


Screening  Analysis  Tools 

Used  for  high-level  analyses  intended  to: 

1 .  provide  a  general  characterization  of  expected  mishaps  and 

2.  identify  the  most  significant  areas  of  interest  for  further 
evaluation. 

Often  generate  some  effective  recommendations  for  improve¬ 
ment,  but  seldom  at  a  detailed  level. 

Example  tools: 

•  Parts  count  analysis 

•  Pareto  analysis 

•  Facility  risk  review  (FRR) 

•  Safety  review 

•  Relative  ranking 

Broadly  Applicable,  Detailed  Analysis  Tools 

Used  for  more  detailed  analysis  of  complete  systems  that  have 
been  determined  to  be  potentially  important  in  some  regard. 
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Example  tools: 

•  Checklist  analysis 

•  What-if  analysis 

•  Hazard  and  operability  analysis  (HAZOP) 

•  Failure  modes  and  effects  analysis  (FMEA) 

•  Fault  tree  analysis  (FTA) 

•  Event  tree  analysis  (ETA) 

•  Cause-consequence  analysis  (CCA) 

•  Markov  analysis 

•  Block  diagram  analysis 

•  Systems  approach  to  human  element  risk  analysis 

Narrowly  Focused,  Detailed  Analysis  Tools 

Used  for  detailed  analysis  of  specific  items/issues/mechanisms 
that  have  been  determined  to  be  potentially  important  in  some 
regard. 

Example  tools 

■  Weibull  analysis 

•  Human  reliability  analysis  (HRA) 

•  Common  cause  failure  analysis  (CCFA) 

•  Sneak  circuit  analysis  (SCA) 

•  Software  failure  analysis 

•  Physics-of-failure  modeling 

•  Worker  and  instruction  evaluation  (WISE) 
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Hazard  Screening  Analysis  Tools 

■  Parts  count  analysis 

■  Pareto  analysis 

■  Facility  risk  review  (FRR) 

■  Safety  review 

■  Relative  ranking 
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Ports  Count  Analysis 

Failure  rate  of  component  1  {k^) 
+  Failure  rate  of  component  2  (X2) 
+  Failure  rate  of  component  3  (X3) 
+  Failure  rate  of  component  4  (X4) 


=  System  Failure  Rate  (A) 

N 

A  =  ^  X|  Where  N  is  the  total 

number  of  components 

Summary  of  Parts  Count  Anolysis 

Simple  analysis  method  that  sums  the  failure  rates  of  individual 
components  within  a  system  capable  of  producing  mishaps  of 
interest  to  estimate  the  mishap's  frequencies. 

Brief  summary  of  eharaeteristies 

•  Systematic,  structured  assessment  relying  on  simple  summation 
of  component  data  to  generate  meaningful  estimates  of  system 
failure  frequencies/likelihoods 

•  Primarily  performed  by  an  individual  analyst  working  with 
available  component  data  and  generic  component  failure  data 
sources 

•  Quality  of  the  evaluation  depends  on  the  quality  of  the  system 
documentation,  the  quality  of  component  data,  and  the  train¬ 
ing  of  the  analyst 

Most  common  uses 

Generally  applicable  for  almost  every  type  of  analysis  application, 
but  most  effectively  used  for  systems  whose  risk  characteristics  are 
dominated  by  single  event  failures. 

Often  used  as  a  rough  screening  approach  for  estimating  reliabil¬ 
ity  characteristics  of  systems,  but  can  be  effectively  used  to  de¬ 
velop  system  failure  rate  predictions  in  relatively  simple  electronic 
and/or  mechanical  systems  in  which  the  system  fails  if  any  one 
part  of  the  system  fails. 
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Example  from  the  Reliability  Analysis  Center's  Reliability  Tooikit 


Unit 

Qty 

Faiiure 

Rate 

(FPMH)* 

Data 

Source 

Data  Source 
Environment 

Environment 

Adjustment 

Factor 

Total 

Failure 

Rate 

(FPMH) 

3%"  Disk 
Drives 

2 

40 

Field 

Office 

1 

80 

CD-ROM 

Drive 

3 

10 

Handbook 

Office 

1 

30 

Hard 

Drive 

1 

35 

Vendor 

test 

Office 

1 

35 

CPU 

Board 

1 

35 

Field 

Aircraft 

.25 

1 

Keyboard 

1 

10 

Field 

Office 

1 

10 

Monitor 

1 

40 

Field 

Aircraft 

.25 

10 

Modem 

1 

3 

Handbook 

Office 

1 

3 

Totals  (FPMH) 

169 

Mean  time  between  failures  (hours) 

5,917 
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Pareto  Analysis 


System  A 


Component 

•1 

Component 

f7 

Compmienl 

Component 

f2Q 

Components 

2. 3. 4,  9. 

10. 11. 13. 14.  IS. 
11. 17.  IS.  19 

ImpertMtFaw  TiMelMany 


T  1  I  I  I - \ - 1 - 1 - ! - 1 - 1 - r— 1 - ! - 1 

Number  of  PaJhiTM  Over  Past  10  Years 


Summary  of  Pareto  Analysis 

Prioritization  technique  that  identifies  the  most  significant  items 
•  among  many.  Employs  the  "80-20"  rule,  which  states  that  20%  of 

the  causes  produce  80%  of  the  effects. 

Brief  snuntary  of  characteristics 

•  Used  as  both  a  system-level  and  component-level  analysis 
technique 

•  Yields  broad  quantitative  results  that  are  graphically  depicted 
on  simple  bar  charts 

•  Depending  on  the  information  analyzed,  the  technique  gener¬ 
ally  requires  some  form  of  data  tracking  (e.g.,  monitoring  the 
number  of  mission  losses  or  delays  [recorded  in  hours]) 

•  Applicable  to  any  operating  system 

Most  common  uses 

Most  often  used  to  rank  system  failure  causes.  Can  be  used  to 

rank  the  causes  that  contribute  to  individual  component  failures. 

Also  used  to  evaluate  the  reliability  improvement  resulting  from 

system  modifications  using  before-and-after  data. 
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3  3  4  $ 


■iMiMM  bllHtItllUON 
CMtCatagery 


Summary  of  Facility  Risk  Review  (FRR) 

Uses  systematic  analyses  at  a  high  level  to  provide  a  broad  char¬ 
acterization  of  potential  mishaps  and  to  (1)  generate  recommen¬ 
dations  for  improvements  and  (2)  focus  further,  more  detailed 
analysis  on  the  most  important  areas. 

Brief  snmmarY  of  eharacteristies 

•  Systematic  process  built  on  the  same  structure  as  used  for 
more  detailed  failure  modes  and  effects  analyses  or  event  tree 
analyses,  but  applied  only  at  system/subsystem  levels  (not 
down  to  the  component  level) 

•  Generally  applied  to  entire  facilities 

•  Applicable  to  virtually  any  system,  but  typically  used  for  manu¬ 
facturing  processes 

•  Generates: 

1 .  qualitative  descriptions  of  scenarios  leading  to  potential 
problems 

2.  rough  estimates  of  equipment  damage,  repair  cost,  business 
interruption  cost,  safety  risks,  environmental  risks,  etc. 

3.  recommendations  for  improvements  and/or  more  detailed 
analysis 

Most  eommoii  uses 

Primarily  used  to  provide  an  effective  screening  of  risks  for  entire 
facilities. 
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Example  accident  freqpiency  categories 


Average  Time 
Between 
Occurrences 
(years) 

Frequency 
(per  year) 

Description 

>300 

<•003 

Not  expected  to  occur 

100-300 

q 

1 

CO 

o 

o 

Not  iikely  to  occur  during  the  iifetime  of  a 
faciiity,  vessei,  etc. 

30-100 

.01  -  .03 

Expected  to  occur  no  more  than  once  during 
the  lifetime  of  a  faciiity,  vessel,  etc. 

10-30 

.03 -.1 

Expected  to  occur  no  more  than  once  or 
twice  during  the  lifetime  of  a  facility,  vessel, 
etc. 

3-10 

.1-.3 

Expected  to  occur  several  times  during  the 
lifetime  of  a  facility,  vessel,  etc. 

1-3 

.3-1.0 

Expected  to  occur  between  once  a  year  and 
once  every  3  years 

<1 

>1.0 

Expected  to  occur  more  than  once  a  year 

I  I  Example  cost  categories 


Category 


1 


Frequency  (per  year) 


Less  than  1 
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Summary  of  Safety  Review 

Detailed  system  evaluation/inspection  to  identify  hazardous 
conditions  and  practices  based  on  general  guidelines  (including 
regulatory  requirements  and  company  standards). 

Brief  snmmorY  of  characteristics 

•  Assessments  range  from  very  informal  to  very  formal 

•  Typically  performed  by  an  individual  or  small  group  of  safety 
experts,  although  larger  groups  are  sometimes  used 

•  Generally  includes  interviews  with  subject  matter  experts, 
reviews  of  procedures,  and  visual  inspection  of  equipment 
conditions  and  operations 

•  Generates  qualitative  summaries  of  areas  for  improvement 
and  areas  where  current  conditions/practices  seem  appropriate 

•  Quality  of  evaluation  determined  by  experience  of  reviewers 

Most  common  nses 

Generally  used  In  conjunction  with  checklist  analyses  (as  de¬ 
scribed  later).  Also,  frequently  used  as  an  inspection  tool  to 
ensure  that  required  safeguards  are  in  place.  Safety  reviews  are 
used  as  the  basis  for  most  unstructured  system  design  reviews 
and  field  safety  reviews.  These  reviews  are  also  often  used  for 
pre-startup  safety  review  of  systems  and  safety  reviews  of  special/ 
unique  operations. 
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Relative  Ranking 


Loss  Prevention r/  Hazard/Risk  —  - 
Periotmance  Index  “  F^IFacloi^,  Factor,, 


Some  example  hazard/risk  index  factors: 

♦  robust  design  margins 

♦  levels  of  redundancy 

♦  human  factors  considerations 

♦  vulnerability  to  external  events 

♦  use  of  proven  technology 

♦  etc. 


Summary  of  Relative  Ranking 

Uses  attributes  of  a  process  or  activity  to  calculate  index  numbers 
that  are  useful  for  making  relative  comparisons  of  various  pro¬ 
cesses  and  activities  (and  in  some  cases  can  be  correlated  to 
absolute  risk  estimates). 

Brief  snmittarY  of  characteristies 

•  Very  systematic  process  built  on  the  experience  of  the  ranking 
system  developers 

•  Generally  performed  by  an  individual  (sometimes  a  small 
group)  trained  to  understand  the  ranking  system,  not  necessar¬ 
ily  safety/reliability  experts 

•  Based  mostly  on  interviews,  documentation  reviews,  and  field 
inspections 

•  Used  most  often  as  a  system-level  analysis  technique 
,  •  Applicable  to  almost  any  system  or  activity 

•  Generates: 

1 .  index  numbers  that  provide  ordered  lists  of  processes  or 
activities 

2.  lists  of  attributes  contributing  most  to  risks 

•  May  be  used  to  characterize  absolute  risks  associated  with  a 
process  or  activity 

•  Quality  of  evaluation  primarily  determined  by  the  relevance/ 
quality  of  the  ranking  system  and  the  training  of  the  user(s) 
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Most  common  uses 

Primarily  used  to  compare  various  situations/options  with  applica¬ 
tions  in  facility  siting  and  alternative  design  comparisons. 

Can  be  used  to  prioritize  processes  or  activities  for  further  evalua¬ 
tion  according  to  their  rankings. 


Example  results 


Factor  Scores 


Design  Level  of  Human 
Margin  Redundancy  Factors 


Vulnerability 
to  External 
Event 

Proven 

Technology 

5 

8 

5 

5 

5 

3 
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Broadly  Applicable, 
Detculed  Analysis  Tools 


■  Checklist  analysis 

■  What-if  analysis 

■  Hazard  and 
operability  analysis 
(HAZOP) 

■  Failure  modes  and 
effects  analysis 
(FMEA) 

■  Fault  tree  analysis 
(FTA) 


■  Event  tree  analysis 
(ETA) 

■  Cause-consequence 
analysis  (CCA) 

■  Markov  analysis 

■  Block  diagram 
analysis 

■  Systems  approach  to 
human  elements  risk 
analysis 
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Checklist  Analysis 


Evoluatlon  Points 

m 

Q 

Not  Evaluatod 

Commonts 

Sobjoct  Aroa  1 

Evaluation  Point  1-1 
Evaluation  Point  1-2 
Evaluation  Point  1-3 

1 

1 

Roiommondotlon  A 

Subjoct  Atm  2 

Evaluation  Point  2-1 
Evaluation  Point  2-2 
Evaluation  Point  2-3 

♦ 

✓ 

Subjoct  Aroa  3 

• 

■ 

1 

Summary  of  Checklist  Analysis 

Systematic  evaluation  against  preestablished  criteria  in  the  form 
of  one  or  more  checklists. 

Brief  summary  of  characteristics 

•  Very  systematic  approach  built  on  the  historical  knowledge 
included  in  checklist  questions 

•  Used  for  system-level  or  component-level  analysis 

•  Applicable  to  any  system  or  procedure 

•  Generally  performed  by  an  individual  (sometimes  a  small 
group)  trained  to  understand  the  checklist  questions,  not 
necessarily  safety  experts 

•  Based  mostly  on  interviews,  documentation  reviews,  and  field 
inspections 

•  Generates  qualitative  lists  of  conformance  and  nonconfor¬ 
mance  determinations  with  recommendations  for  correcting 
nonconformances 

•  Quality  of  evaluation  primarily  determined  by  the  experience  of 
people  creating  the  checklist(s)  and  the  training  of  the  checklist 
user{s) 

Most  common  uses 

Most  often  used  as  a  supplement  or  integral  part  of  another 
method  (especially  what-if  analysis)  to  address  specific  require¬ 
ments,  but  seldom  used  alone  because  of  the  possibility  of  over¬ 
looking  unique  circumstances/issues  not  covered  in  the  checklist. 
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Example  checklist 

A.  Piping  and  Valves 

1 .  Is  the  piping  specification  suitable  for  the  process  conditions,  considering: 

-  compatibility  with  process  materials  and  contaminants  (e.g.,  corrosion  and  erosion 
resistance)? 

-  compatibility  with  cleaning  materials  and  methods  (e.g.,  etching,  steaming,  pigging)? 

-  normal  pressure  and  temperature? 

-  excess  pressure  (e.g.,  thermal  expansion  or  vaporization  of  trapped  liquids,  blocked  pump 
discharge,  pressure  regulator  failure)? 

-  high  temperature  (e.g.,  upstream  cooler  bypassed)? 

-  low  temperature  (e.g.,  winter  weather,  cryogenic  service)? 

-  cyclical  conditions  (e.g.,  vibration,  temperature,  pressure)? 

-  external  corrosion  because  of  the  piping's  design  (e.g.,  material  of  construction,  insulation 
on  cold  piping),  location  (e.g.,  submerged  in  a  sump),  or  environment  (e.g.,  saltwater 
spray)? 

2.  Is  there  any  special  consideration,  for  either  normal  or  abnormal  conditions,  that  could 
promote  piping  failure?  For  example; 

-  Would  flashing  liquids  autorefrigerate  the  piping  below  its  design  temperature? 

-  Could  accumulated  water  freeze  in  low  points  or  in  dead-end  or  intermittent  service  lines? 

-  Could  cryogenic  liquid  carry-over  chill  the  piping  below  its  design  temperature? 

-  Could  heat  tracing  promote  an  exothermic  reaction  in  the  piping,  cause  solids  to  build  up 
in  the  piping,  or  promote  localized  corrosion  in  the  piping? 

-  Could  the  pipe  lining  be  collapsed  by  vacuum  conditions? 

-  Could  a  process  upset  cause  corrosive  material  carry-over  in  the  piping,  or  could  dense 
corrosive  materials  (e.g.,  sulfuric  acid)  accumulate  in  valve  seats,  drain  nipples,  etc.? 

-  In  high  temperature  reducing  service  (e.g.,  hydrogen,  methane,  or  carbon  monoxide), 
could  metal  dusting  cause  catastrophic  failure?  is  the  piping  protected  by  suitable  chemical 
addition  (e.g.,  sulfides)? 

-  Is  the  piping  vulnerable  to  stress  corrosion  cracking  (e.g.,  caustic  In  carbon  steel  piping, 
chlorides  in  stainless  steel  piping)?  Should  the  piping  be  stress  relieved? 

-  Is  the  piping  vulnerable  to  erosion?  Are  piping  elbows  and  tees  designed  to  minimize 
metal  loss,  and  are  they  periodically  inspected? 

-  Could  rapid  valve  closure  or  two-phase  flow  cause  hydraulic  hammer  in  the  piping? 

Should  valve  opening/closing  rates  be  dampened  to  avoid  piping  damage? 

-  Are  there  flexible  connections  that  could  distort  or  crack? 

3.  Can  piping  sizes  or  lengths  be  reduced  to  minimize  hazardous  material  inventories? 

4.  Have  relief  devices  been  installed  in  piping  runs  where  thermal  expansion  of  trapped  fluids 
(e.g.,  chlorine)  would  separate  flanges  or  damage  gaskets? 

5.  Are  piping  systems  provided  with  freeze  protection,  particularly  cold  water  lines,  instrument 
connections,  and  lines  in  dead-end  service  such  as  piping  at  standby  pumps?  Can  the  piping 
system  be  completely  drained? 

6.  Were  piping  systems  analyzed  for  stresses  and  movements  resulting  from  thermal  expansion 
and  vibration?  Are  piping  systems  adequately  supported  and  guided?  Will  any  cast-iron 
valves  be  subjected  to  excessive  stresses  that  could  fracture  them?  Will  pipe  linings  crack 
(particularly  at  the  flange  face)  because  of  differential  thermal  expansion? 
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7.  Are  bellows,  hoses,  and  other  flexible  piping  connections  really  necessary?  Could  the  piping 
system  be  redesigned  to  eliminate  them?  Are  the  necessary  flexible  connections  strong 
enough  for  the  service  conditions? 

8.  What  are  the  provisions  for  trapping  and  draining  steam  piping? 

9.  Which  lines  can  plug?  What  are  the  hazards  of  plugged  lines? 

10.  Are  provisions  made  for  flushing  out  all  piping  during  startup  and  shutdown?  Are  hoses, 
spools,  jumpers,  etc.,  flushed  or  purged  before  use? 

1 1  .Are  the  contents  of  all  lines  identified? 

1 2.  Are  there  manifolds  on  any  venting  or  draining  systems  and,  if  so,  are  there  any  hazards 
associated  with  the  manifolds? 

13.  Are  all  process  piping  connections  to  utility  systems  adequately  protected  against  potentially 
hazardous  flows? 

-  Are  there  check  valves  or  other  devices  preventing  backflow  into  the  utility  supply? 

-  Are  there  disconnects  (spools,  hoses,  swing  elbows,  etc.)  with  suitable  blinds  or  plugs  for 
temporary  or  infrequently  used  utility  connections? 

-  Are  there  double  blocks  and  bleeds  for  permanent  utility  connections? 

14.  Are  spray  guards  installed  on  pipe  flanges  in  areas  in  which  a  spraying  leak  could  injure 
operators  or  start  fires? 

15.  Will  the  piping  insulation  trap  leaking  material  and/or  react  exothermically  with  it? 

1 6.  Have  plastic  or  plastic-lined  piping  systems  been  adequately  grounded  to  avoid  static 
buildup? 

1 7.  Are  there  remote  shutoff  devices  on  off-site  pipelines  that  feed  into  the  unit  or  storage  tanks? 

18.  Can  bypass  valves  (for  control  valves  or  other  components)  be  quickly  opened  by  operators? 

-  What  hazards  may  result  if  the  bypass  is  opened  (e.g.,  reverse  flow,  high  or  low  level)? 

-  What  bypass  valves  are  routinely  opened  to  increase  flow,  and  will  properly  sized  control 
valves  be  installed? 

-  Is  the  bypass  piping  arranged  so  it  will  not  collect  water  and  debris? 

-  Is  there  a  current  log  of  open  bypass  valves  kept  in  the  control  room  so  operators  can 
ensure  that  they  are  reclosed  if  necessary  in  an  emergency? 

1 9.  How  are  the  positions  of  critical  valves  (block  valves  beneath  relief  devices,  equipment 
isolation  valves,  dike  drain  valves,  etc.)  controlled  (car  seals,  locks,  periodic  checks,  etc.)? 

20.  How  are  the  positions  of  critical  valves  (e.g.,  emergency  isolation  valves,  dump  valves) 
indicated  to  operators?  Is  the  position  of  all  nonrising  stem  valves  readily  apparent  to  the 
operators?  Do  control  room  displays  directly  indicate  the  valve  position,  or  do  they  really 
indicate  some  other  parameter,  such  as  actuator  position  or  torque,  application  of  power  to 
the  actuator,  or  initiation  of  a  control  signal  to  the  actuator? 

21  .Are  block  valves  or  double  block  and  bleed  valves  required: 

-  because  of  high  process  temperatures? 

-  because  of  high  process  pressures? 

-  because  the  process  material  is  likely  to  erode  or  damage  valve  internals? 

-  because  the  process  material  is  likely  to  collect  on  the  valve  seat? 

-  for  worker  protection  during  maintenance  on  operating  systems? 
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22.  Are  critical  isolation  valve  actuators  pov/erful  enough  to  close  the  valves  under  worst-case 
differential  pressure  conditions  (including  backflow)  in  the  event  of  a  rupture? 

23.  Are  chain  operators  for  valves  adequately  supported  and  sized  to  minimize  the  likelihood  of 
valve  stem  breakage? 

24.  How  will  control  valves  react  to  loss  of  control  medium  or  signal?  Do  the  control  valves: 

-  reduce  heat  input  (cut  firing,  reboiling,  etc.)? 

-  increase  heat  removal  (increase  reflux,  quench,  cooling  water  flow,  etc.)? 

-  reduce  pressure  (open  vents,  reduce  speed  of  turbines,  etc.)? 

-  maintain  or  increase  furnace  tube  flow? 

-  ensure  adequate  flow  at  compressors  or  pumps? 

-  reduce  or  stop  input  of  reactants? 

-  reduce  or  stop  makeup  to  a  recirculating  system? 

-  isolate  the  unit? 

-  avoid  overpressuring  of  upstream  or  downstream  equipment  (e.g.,  by  maintaining  level  to 
avoid  gas  blowby)? 

-  avoid  overcooling  (below  minimum  desired  temperature)? 

25.  Will  control  valve  malfunction  result  in  exceeding  the  design  limits  of  equipment  or  piping? 

-  Are  upstream  vessels  between  a  pressure  source  and  the  control  valve  designed  for  the 
maximum  pressure  when  the  control  valve  closes? 

-  Some  piping's  class  decreases  after  the  control  valve.  Is  this  piping  suitable  if  the  control 
valve  is  open  and  the  downstream  block  closed?  Is  other  equipment  in  the  same  circuit? 

-  is  there  any  equipment  whose  material  selection  makes  it  subject  to  rapid  deterioration  or 
failure  if  any  specific  misoperation  or  failure  of  the  control  valve  occurs  (overheating, 
overcooling,  rapid  corrosion,  etc.)? 

-  Will  the  reactor  temperature  run  away? 

-  Is  the  three-way  valve  used  in  a  pressure-relieving  path  the  equivalent  of  a  fully  open  port 
in  all  valve  positions? 

26.  Is  there  provision  in  the  design  for  a  single  control  valve  to  fail: 

-  in  the  worst  possible  position  (usually  opposite  the  fail-safe  position)? 

-  with  the  bypass  valve  open? 

27.  Upon  a  plantwide  or  unitwide  loss  of  control  medium  or  signal,  which  valves  should  fail  to  a 
position  that  is  different  from  their  normal  failure  positions?  How  were  the  conflicts  resolved? 

28.  Can  the  safety  function  of  each  automatically  controlled  valve  be  tested  while  the  unit  is 
operating?  Will  an  alarm  sound  if  the  sensing-signal-control  loop  fails  or  is  deactivated? 
Should  any  bypass  valves  be  car  sealed  or  locked  closed? 

29.  Are  battery  limit  block  valves  easily  accessible  in  an  emergency? 

30.  Are  controllers  and  control  valves  readily  accessible  for  maintenance? 
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Summary  of  Whot-if  Analysis 


Questions 
'^hat  if  {a  specific 
component}  fails?'' 
"What  if  {a  specific 
process  upset} 
occurs?" 

"What  if  {a  specific 
human  error}  occurs?" 
"What  if  {a  specific 
external  event} 
occurs?" 


Responses 

"{Immediate  system 
condition} 

potentially  leading  to 
(consequence  of  interest} 

if  (applicable  safeguards} 
fail" 


Summary  of  What-if  Analysis 

Brainstorming  approach  that  uses  broad,  loosely  structured 
questioning  to  (1 )  postulate  potential  system  upsets  that  may 
result  in  mishaps  and  (2)  ensure  that  appropriate  safeguards 
against  those  mishaps  are  in  place. 

Brief  snmmorY  of  characteristics 

•  Systematic  but  loosely  structured  assessment  relying  on  brain¬ 
storming  to  generate  a  comprehensive  review  and  a  team  of 
system  experts  to  ensure  that  appropriate  safeguards  against 
mishaps  are  in  place 

•  Typically  performed  by  one  or  more  teams  with  diverse  back¬ 
grounds  and  experience  who  participate  in  group  review 
meetings  of  system  documentation  and  field  inspections 

•  Applicable  to  any  system  or  procedure 

•  Used  as  a  system-level  or  component-level  analysis  technique 

•  Generates  qualitative  descriptions  of  potential  mishaps  (in  the 
form  of  questions  and  responses]  as  well  as  lists  of  recommen¬ 
dations  for  preventing  problems 

•  Quality  of  the  evaluation  depends  on  the  quality  of  the  system 
documentation,  the  training  of  the  review  team  leader,  and  the 
experience  of  the  review  team(s) 

Most  common  uses 

Generally  applicable  for  almost  every  type  of  analysis  application, 
especially  those  dominated  by  relatively  simple  failure  scenarios. 

Occasionally  used  alone,  but  most  often  used  to  supplement 
other,  more  structured  techniques  (especially  checklist  analysis). 
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Example  what>ii  review  summary 


Summary  of  What-if  Review 


02/05/97  1 

Date  Page 


Process  and  Location:  PtSflt  CofiCafi 


Topic  Investigated:  Safety 


Equipment/Task  Intentions:  DfWt  CHloHnstlOti  Rescfot  Feeds 


is  contam¬ 
inated 


2.  Chlorine  feed 
is  contam¬ 
inated 


Consequence/Hazard 

Recommendation 

Responsible 

Individual 

1.  Typical  contaminant  in 
ethylene  is  oil.  Oil  will 
react  energetically  with 
chlorine.  However,  the 
amount  of  oil  in  ethylene 
is  usually  small,  and  the 
large  quantity  of 
ethylene  dichloride 
(EDO)  in  the  reactor 
should  quench  any  oil/ 
chlorine  reaction 

l.a  Verify  that  high 
purity  ethylene 

Is  available  and 
verify  reliability 
of  supply 

l.b  Determine  the 
reaction 
kinetics  for  oil/ 
chlorine 
reactions 

l.a  Ethylene 
expert 

l.b  Chemist 

2.  Typical  contaminant  in 
chlorine  is  water.  Large 
quantities  of  water  in 
chlorine  would  cause 
equipment  damage  in 
the  chlorine  plant  and 
cause  a  shutdown  well 
before  it  made  it  to  the 
VCM  plant.  Small 
quantities  of  water 
should  be  no  problem 

2.a  Verify  that 
water  content 
in  ethylene 
supplies  is  very 
low 

2.a  Ethylene 
expert 

Initial  and 
Date  When 
Resolved 
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Hazard  and  Operability  Analysis 


Potential  Potential 

Loss*  Less* 


Guide  Word  +  Process  Condition  s  Deviation 


Summary  of  Hazard  and  Operability  (HAZOP)  Analysis 

Inductive  approach  that  uses  a  very  systematic  process  (using 
special  guide  words)  for  postulating  deviations  from  design 
intents  for  sections  of  systems  and  ensuring  that  appropriate 
safeguards  are  in  place  to  help  prevent  mishaps. 

Brief  snmmarY  of  ehoracteristies 

•  Systematic,  highly  structured  assessment  relying  on  HAZOP 
guide  words  and  team  brainstorming  to  generate  a  compre¬ 
hensive  review  and  ensure  that  appropriate  safeguards  against 
mishaps  are  in  place 

•  Typically  performed  by  a  multidisciplinary  team 

•  Applicable  to  any  system  or  procedure 

•  Used  most  as  a  system-level  analysis  technique 

•  Generates  primarily  qualitative  results,  although  some  basic 
quantification  is  possible 

Most  eomiBoii  uses 

Primarily  used  for  identifying  safety  hazards  and  operability 
problems  of  continuous  process  systems  (especially  fluid  and 
thermal  systems).  Can  also  be  used  to  review  procedures  and 
sequential  operations. 
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Example  results 
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Failure  Modes  and  Effects  Analysis 


Potential  Potentlol  Potential 

Loss*  Less*  toss* 


Potential 

Loss* 


Summary  of  Failure  Modes  and  Effects  Analysis 
(FMEA) 

Inductive  approach  that  (1 )  considers  how  the  failure  modes  of 

each  system  component  could  result  in  mishaps  and  (2)  ensures 

that  appropriate  safeguards  against  such  problems  are  in  place. 

A  quantitative  version  of  FMEA  is  known  as  failure  modes,  ef¬ 
fects,  and  criticality  analysis  (FMECA). 

u 

Brief  summary  of  characteristics 

•  Systematic,  highly  structured  assessment  relying  on  evaluation 
of  component  failure  modes  and  team  experience  to  generate 
a  comprehensive  review  and  ensure  that  appropriate  safe¬ 
guards  against  mishaps  are  in  place 

•  Used  as  a  system-level  and  component-level  analysis  tech¬ 
nique 

•  Applicable  to  any  well-defined  system 

.  •  Sometimes  performed  by  an  individual  working  with  system 
experts  through  interviews  and  field  inspections,  but  also  can 
be  performed  by  an  interdisciplinary  team  with  diverse  back¬ 
grounds/experience  participating  in  group  review  meetings  of 
system  documentation  and  field  inspections 

•  Generates  qualitative  descriptions  of  potential  mishaps  (failure 
modes,  root  causes,  effects,  and  safeguards)  as  well  as  lists  of 
recommendations  for  reducing  risks 

•  Can  provide  quantitative  failure  frequency  and/or  conse¬ 
quence  estimates 

Most  common  uses 

Primarily  used  for  reviews  of  mechanical  and  electrical  systems. 
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Typical  failnre  modes  for  some  components 


Component 

Failure  Mode 

Pump 

External  leak 

External  rupture 

Fails  to  start 

Fails  off  while  running 

Starts  prematurely 

Operates  too  long 

Operates  at  degraded  head/flow  performance  (too  fast,  too  slow, 
etc.) 

Valves/dampers 

External  leak 

External  rupture 

Internal  leak 

Plugged 

Fails  to  open 

Fails  to  close 

Fails  to  change  position 

Spurious  positioning 

Opens  prematurely 

Closes  prematurely 

Gauges/indicators/ 

recorders 

Fails  with  no  output  signal 

Fails  with  a  low  output  signal 

Fails  with  a  high  output  signal 

Fails  to  respond  to  an  input  change 

Spurious  output  signal 

Motor 

Fails  to  start 

Fails  off  while  running 

Starts  prematurely 

Starts  too  late 

Operates  too  long 

Operates  at  degraded  torque/rotational  speed  performance  (runs 
backwards,  too  fast,  too  slow,  etc.) 
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Example  FMEA  table 
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Fault  Tree  Analysis 

Scenarios  pfx)ducing  TOP  event: 
♦  Bosic  event  3 


Summary  of  Fault  Tree  Analysis  (FTA) 

Deductive  anal/sis  that  graphically  models  (using  Boolean  logic) 
hov/  logical  relationships  between  equipment  failures,  human 
errors,  and  external  events  can  combine  to  cause  mishaps. 

Brief  summary  of  eharaeteristies 

•  Systematic,  highly  structured  assessment  relying  on  the 
analyst's  experience  to  generate  a  comprehensive  review  and 
ensure  that  appropriate  safeguards  against  mishaps  are  in 
place 

•  Used  most  as  a  system-level  analysis  technique 

•  Consideration  of  human  errors  and  common-cause  failures 
strongly  influences  results 

•  Primarily  performed  by  an  individual  working  with  system 
experts  through  interviews  and  field  inspections 

•  Generates: 

1 .  qualitative  descriptions  of  potential  mishaps  (combinations 
of  events  causing  specific  mishaps  of  interest) 

2.  quantitative  estimates  of  mishap  frequencies  and  relative 
importances  of  various  accident  sequences/contributing 
events 

3.  lists  of  recommendations  for  reducing  risks 

4.  quantitative  evaluations  of  recommendation  effectiveness 

•  Quality  of  the  evaluation  depends  on  the  quality  of  the  system 
documentation,  the  training  of  the  analyst,  and  the  experience 
of  the  subject  matter  experts  assisting  the  analyst 

Most  common  uses 

Generally  applicable  for  almost  every  type  of  analysis  application, 
but  most  effectively  used  to  address  the  fundamental  causes  of 
specific  mishaps  dominated  by  relatively  complex  combinations  of 
events. 


3-36 


Coast  Guard  IRA  Manual 


Overview  of  Methodologies 


Broadly  Applicable  Tools 


Coast  Ghiard  IRA  Manual 


3^7 


Overview  of  Methodologies 


Broadly  Applicable  Tools 


Event  Tree  Anolysis 


LOA1  LOA2  LOA3 


Initiating 

Event 


F 


F  «  Failure  of  LOA  S  « 


Consequence  I 
Consequence  II 
Consequence  III 
Consequence  IV 
Consequence  V 

Success  of  LOA 


Summary  of  Event  Tree  Analysis  (ETA) 

Inductive  analysis  that  graphically  models  (using  decision  trees) 
the  possible  outcomes  from  an  initiating  event  capable  of  produc¬ 
ing  a  mishap  of  interest. 

Brief  summary  of  characteristics 

•  Systematic,  highly  structured  assessment  relying  on  the 
analyst's  experience  to  generate  a  comprehensive  review  and 
ensure  that  appropriate  safeguards  against  mishaps  are  in 
place 

•  Primarily  performed  by  an  individual  working  with  system 
experts  through  interviews  and  field  inspections 

•  Generates: 

1 .  qualitative  descriptions  of  potential  mishaps  (combinations 
of  events  producing  various  types  of  mishaps  from  common 
initiating  events) 

2.  quantitative  estimates  of  mishap  frequencies/likelihoods 
and  relative  importances  of  various  accident  sequences/ 
contributing  events 

3.  lists  of  recommendations  for  reducing  risks 

4.  quantitative  evaluations  of  recommendation  effectiveness 

•  Quality  of  the  evaluation  depends  on  the  quality  of  the  system 
documentation,  the  training  of  the  analyst,  and  the  experience 
of  the  subject  matter  experts  assisting  the  analyst 

Most  common  uses 

Generally  applicable  for  almost  every  type  of  analysis  application, 
but  most  effectively  used  to  address  possible  outcomes  of  initiat¬ 
ing  events  for  which  multiple  safeguards  (lines  of  assurance)  are 
in  place  as  protective  features. 
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Overview  of  Methodologies 


Broadly  Applicable  Tools 


Cause* 

Consequence 

Analysis 


Summary  of  Cause-Consequence  Analysis  (CCA) 

Combination  of  fault  tree  analysis  and  event  tree  analysis  using 
slightly  different  graphical  symbols. 

Brief  snmmarY  of  ehoracteristies 

See  the  descriptions  for  fault  tree  analysis  and  event  tree  analysis. 

Most  common  nses 

See  the  descriptions  for  fault  tree  analysis  and  event  tree  analysis. 
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Markov  Analysis 


State  2 


Two-component  system: 

♦  State  1 :  Both  working,  system  working 

♦  State  2:  Component  1  failed,  component 
2  working,  system  working 

♦  State  3:  Component  1  working, 
component  2  failed,  system  working 

♦  State  4:  Both  failed,  system  failed 


Summary  of  Markov  Analysis 

Model  of  all  possible  states  of  a  system  (and  transitions  be¬ 
tween  states)  that  allows  an  analyst  to  calculate  frequencies/ 
probabilities  of  system  states  of  interest  (typically  failure  states 
that  result  in  mishaps). 

Brief  summary  of  choroeteristies 

•  Systematic,  highly  structured  assessment  relying  on  the 
analyst's  experience  to  generate  a  comprehensive  review  and 
ensure  that  appropriate  safeguards  against  mishaps  are  in 
place 

•  Primarily  performed  by  an  individual  analyst  working  with 
system  experts  through  interviews  and  field  inspections 

•  Generates: 

1 .  qualitative  descriptions  of  potential  failure  states  producing 
mishaps  (combinations  of  events  causing  specific  mishaps  of 
interest) 

2.  quantitative  estimates  of  mishap  frequencies/likelihoods 
and  relative  importances  of  various  accident  sequences/ 
contributing  events 

3.  lists  of  recommendations  for  reducing  risks 

4.  quantitative  evaluations  of  recommendation  effectiveness 

•  Quality  of  the  evaluation  depends  on  the  quality  of  the  system 
documentation,  the  training  of  the  analyst,  and  the  experience 
of  the  subject  matter  experts  assisting  the  analyst 
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Most  common  nses 

Generally  applicable  for  almost  every  type  of  analysis  applica¬ 
tion,  but  most  effectively  used  to  address  the  fundamental 
causes  of  specific  mishaps  whose  risk  characteristics  are  domi¬ 
nated  by  relatively  complex  combinations  of  events. 

Only  used  when  simpler  analysis  forms  (such  as  fault  tree 
analysis  and  block  diagram  modeling)  cannot  be  used  to 
model  a  situation  appropriately. 
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Block  Diagrom  Analysis 


Success  Paths: 

♦  Cl  working,  C2  working,  C3A  working,  C4A  working 

♦  Cl  working,  C2  working,  C3A  working,  C4B  working 

♦  Cl  working,  C2  working,  C3B  working,  C4A  working 

♦  Cl  working,  C2  working,  C3B  working,  C4B  working 


Summary  of  Block  Diagram  Analysis 

Deductive  analysis  that  graphically  models  (using  simple  block 
diagrams)  the  combinations  of  system  functions  that  provide 
successful  system  operations. 

Brief  summary  of  eharacteristies 

•  Systematic,  highly  structured  assessment  relying  on  the 
analyst's  experience  to  generate  a  comprehensive  reviev/  and 
ensure  that  appropriate  safeguards  against  mishaps  are  in 
place 

•  Primarily  performed  by  an  individual  v/orking  with  system 
experts  through  interviews  and  field  inspections 

•  Generates: 

1 .  qualitative  descriptions  of  system  functions  that  must  be 
preserved  to  avoid  mishaps 

2.  quantitative  estimates  of  mishap  frequencies  and  relative 
importances  of  various  accident  sequences/contributing 
events 

3.  lists  of  recommendations  for  reducing  risks 

4.  quantitative  evaluations  of  recommendation  effectiveness 

•  Quality  of  the  evaluation  depends  on  the  quality  of  the  system 
documentation,  the  training  of  the  analyst,  and  the  experience 
of  the  subject  matter  experts  assisting  the  analyst 
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Most  common  uses 

Generally  applicable  for  almost  every  type  of  analysis  application, 
but  most  effectively  used  to  model  the  key  system  functions  for 
preventing  mishaps  and  to  set  loss  prevention  goals  for  various 
sections  of  a  system  (especially  useful  for  systems  whose  risk 
characteristics  are  dominated  by  relatively  complex  combinations 
of  events). 

[|  ||  Example  block  diagram 


”1 _ [— 

r — h 

1 

^  _  - 

^ 

3.5  Inch  Disk 

CD-ROM  Drives 

1  of  2  Required 

Herd  Drive  CPU  Keyboard  Monitor  Modem 

Board 

Drives  1  of  3 
Required 
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Summary  of  a  Systems  Approach  to  Human  Element 
Risk  Analysis 

This  methodology  was  developed  as  part  of  the  Coast  Guard 
Prevention  Through  People  initiative  and  is  patterned  after 
portions  of  the  Systems  Methodology  Applied  to  Risk  Terminol¬ 
ogy  (SAAART)  technique  developed  by  Dr.  Vernon  L.  Grose, 

D.SC.,  Chairman  of  Omega  Systems  Group.  This  systematic 
approach  uses  available  historical  data,  employs  subject  matter 
experts,  and  examines  operations  and  subprocesses  as  a  sys¬ 
tem.  This  tool  allows  the  chain  of  human  errors  to  be  identified 
and  then  interrupted  through  cost-effective  prevention  mea¬ 
sures. 

Brief  sammary  of  characteristics 

•  Systematic,  highly  structured  assessment  relying  on  the 
analyst's  experience  to  generate  a  comprehensive  review  and 
ensure  that  sufficient  human  preventive  actions  against  mis¬ 
haps  are  in  place 

•  Generates: 

1 .  qualitative  descriptions  of  system  functions  that  must  be 
preserved  to  avoid  mishaps 

2.  quantitative  estimates  of  mishap  frequencies/likelihoods 
and  relative  importance  of  various  accident  sequences/ 
contributing  events 

3.  lists  of  human  preventive  actions  recommended  for  reducing 
risks 

4.  quantitative  evaluations  of  recommendation  effectiveness 

•  Quality  of  the  evaluation  depends  on  the  quality  of  the  system 
documentation,  the  training  of  the  analyst,  and  the  experience 
of  the  subject  matter  experts  assisting  the  analyst 
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The  steps  of  the  process  are  outlined  as  follows: 

1 .  Define  known  inputs  and  desired  outputs 

2.  Create  a  functional  flow  block  diagram  (FFBD) 

3.  Identify  high-risk  activities 

4.  Write  scenarios  for  high-risk  activities  (predictive  and 
historical) 

5.  Identify  root  causes 

6.  Conceive  potential  human  element  preventive  actions  for 
every  risk  scenario 

7.  Determine  the  full  cost  of  every  potential  human  element 
preventive  action 

8.  Evaluate  the  risk  control  potential  (high,  medium,  or  low) 

9.  Recommend  preventive  actions  for  implementation 

1 0.  Approve  recommended  preventive  actions  for  implementa¬ 
tion 

1 1 .  Develop  and  execute  an  implementation  plan 

1 2.  Evaluate  effectiveness  of  implemented  actions 

Most  common  uses 

Generally  applicable  for  almost  every  type  of  analysis  application, 
but  most  effectively  used  to  model  the  key  system  functions  for 
preventing  mishaps  and  to  set  loss  prevention  goals  for  various 
sections  of  a  system  (especially  useful  for  systems  whose  risk 
characteristics  are  dominated  by  relatively  complex  combinations 
of  events). 

Example  resnlts 

On  the  following  pages  are  the  results  from  a  study  applying  this 
methodology  for  determining  whether  training  should  be  consid¬ 
ered  to  prevent  a  maritime  security  risk. 
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Step  1:  lapnts  and  desired  outputs  for  a  waterfront  facility 
warehouse  security  system 


Known  Inputs 

•  enclosed  warehouse 

•  lighting  system 

•  intrusion  detection 
system 

•  locking  system 

•  fencing  system 

•  pilferable  goods 

•  facility  employees 

•  freight  movers/ 
customers 

•  visitors 

•  unauthorized 
personnel 

•  security  personnel 

•  security  manager 

•  thieves  with 
opportunity  and 
desire  to  steal  goods 


Waterfront 

Facility 

Warehouse 

Security 

System 


Desired  Outputs 

•  no  loss  of  goods  due 
to  theft 

•  no  unauthorized 
personnel  in  the 
facility 

•  high  employee 
morale 

•  reputation  as  a  well- 
run  and  secure 
facility 

•  maximum  profit  for 
company 

•  maximum  return  of 
client  business 

•  attract  new  clients 
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Step  4:  Scenario  for  a  high-risk  activity 


Risk  Analysis  Scenario  Form 


Scenario  No.  1 


FFBDNo.1  Block  No.  19 


Risk  Scenario  Description  (Historical _ ;  Predictive  X  )A  warehouse  is  used  to  store  portable 

generators,  pumps,  and  other  industrial  equipment  awaiting  shipment.  At  2  a.m..  a  tractor-trailer 
arrives.  The  gate  guard  recognizes  the  markings  on  the  truck  as  those  belonging  to  a  carrier  that 
does  frequent  business  with  the  facility.  Although  entry  procedures  require  guards  to  check 
shipping  papers  and  verify  driver  identification,  the  guard  considers  this  unnecessary.  He  is  also 
unaware  of  a  new  policy  that  requires  guards  to  record  vehicle  registration  tags.  He  is  extremely 
fatigued  due  to  having  only  slept  3  hours  in  the  last  24  due  to  working  a  second  job.  He  waves  the 
truck  through.  At  4  a.m..  the  truck  exits  the  facility.  Later  that  morning,  over  $100,000  worth  of 
equipment  is  discovered  missing. 


Step  5:  IdentiiiGation  of  root  causes 


I  Root  Causes 

1.  Apparent 

a 

Failure  of  guard  to  follow  standard  entry  procedures  after  normal  work  hours 
(i.e.,  check  shipping  papers  and  verify  identification  of  driver/carrier) 

fli 

Poor  judgment  exercised  by  guard  (i.e.,  complacency  with  familiar  truck 
company) 

2.  Propagating 

Guard  fatigued;  slept  only  3  hours  in  last  24 

1 

Poor  communication  of  watch  standards  to  guards  (i.e.,  truck's  registration 
tags  not  recorded) 

□ 

Advanced  theft  techniques  used  against  facility 

B 

Warehouse  left  open  and  not  staffed  between  0000-0500;  thieves  not 
detected 

3.  Originating 

a 

No  training  provided  to  guards  on  entry  procedures  and  importance  thereof 

b 

No  training  provided  to  guards  on  theft  detection 

c 

No  surveillance  camera  system  installed  in  warehouse 

ID 

Little  to  no  supervision  of  security  guards  (i.e.,  fatigued  security  guards 
routinely  permitted  to  stand  watch) 
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Steps  6-8:  Idenliiieafioii  of  potential  human  element  preventive 
actions  lor  every  risk  scenario,  evaluation  of  the  full 
cost  of  these  actions,  and  evalnation  of  the  risk  control 
potential  of  these  actions 


Human  Element  Potential  Preventive  Actions  (PA) 


Cause 

Addressed 

Action 

Risk 

Control 

Potential 

Cost 

1a.  1b,  2b. 
2c.  3a,  3b 

Require  in-house  training  on  entry 
procedures,  security  goals  of  the 
facility,  and  theft  detection 

H".  H,  H 

$7K 

2b 

Establish  a  formal  mechanism  for 
communicating  new  security 
procedures  and  changes  to  existing 
watch  standards  (e.g.,  security 
operations  manual,  memos  to  guards) 

M",  H.  H 

$1K 

2a 

Develop  a  more  flexible  watch 
schedule  to  ensure  that  guards  are 
rested  and  prepared  for  duty 

L",  M,  H 

$.5K 

2a 

Redesign  guard  shack  to  be  more 
ergonomic  and  prevent  fatigue 

L.  M.L 

$30K 

3d 

Conduct  random  spot  checks  of 
security  guards  by  the  security 
manager 

M,  H.H 

$2K 

la,  2b,  3a, 
3b 

Post  a  "security  procedure  of  the  day" 
board  in  the  guard  shack  to  enhance 
retention  of  watch  standards 

M,  H.H 

$1K 

1a,  3a,  3b 

Require  guards  to  pass  a  certification 
test  after  initial  training;  administer 
periodic  "pop  quizzes"  thereafter  to 
maintain  qualification 

H.  H,H 

$2K 

3d 

Establish  a  reward  and  recognition 
program  for  security  excellence 

L.  M.M 

$1.5K 

2a 

Establish  a  fitness  program  to  keep 
guards  in  shape  and  alert  and  to 
reduce  stress 

L.  M,M 

$7K 

la 

Record  shipping  papers  and  vehicle 
arrivals/departures  using  electronic 
scanners 

M.  M.L 

$35K 

2d 

Establish  a  "notice  of  arrival"  signal 
between  front  gate  and  warehouse  for 
carrier  deliveries 

M,  H,M 

$1.5K 

3c 

Install  remote  camera  system  to 
monitor  warehouse  operations 

M,  M,L 

$10K 
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Narrowly  Focused, 

Detoiled  Analysis  Tools 

■  Weibull  analysis 

■  Human  reliability  analysis  (HRA) 

■  Common  cause  failure  analysis  (CCFA) 

■  Sneak  circuit  analysis  (SCA) 

■  Software  failure  analysis 

■  Physics-of-failure  modeling 

■  Worker  and  instruction  safety  evaluation 
(WISE) 
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Weibull  Analysis 


Summary  of  Weibull  Analysis 

Failure  analysis  and  prediction  technique  that  statistically  models 
component  failures,  even  with  small  samples  of  failure  data. 

Brief  snmmory  of  charaeteristies 

•  Used  most  often  as  a  component-level  analysis  technique 

•  Quality  of  the  evaluation  largely  depends  on  the  quality  of  the 
failure  data  that  are  used.  Requires  data  tracking  (e.g.,  moni¬ 
toring  the  time  to  failure  for  a  specific  component) 

•  Yields  quantitative  results  that  are  graphically  depicted  in  a 
Weibull  chart 

•  Parameters  from  the  Weibull  plot  can  be  used  to  help  deter¬ 
mine  the  failure  mechanism  for  the  component  being  analyzed 

•  Primarily  performed  by  an  individual 

Most  common  nses 

Primarily  used  for  failure  analysis  of  mechanical  components  for 
which  good  age-to-failure  data  are  available. 

Example  Welbnll  onalysis  process 

A  manufacturer  estimates  that  its  customers  will  operate  a  product 
(a  portable  log  splitter)  for  4,000  hours  per  year,  on  average.  The 
company  wants  to  sell  the  log  splitter  with  a  1  -year  warranty,  but 
it  needs  to  estimate  the  percent  of  returns  that  will  be  experienced 
in  order  to  assess  the  warranty  cost.  The  manufacturer  authorizes 
a  test  program  using  1 0  random  samples  of  the  product  to  begin 
its  analysis. 
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Log  splitter  ranked  times  to  failure 


Sample  Number 


Sample 

Number 


Rank 

Order(i) 


Rank  Order(i) 

Time  to  Failure  (hours) 

1 

5,005 

2 

6,000 

3 

7,000 

4 

8,500 

5 

9,750 

6 

10,075 

7 

13,025 

8 

15,000 

9 

15,050 

10 

18,200 

Weibull  plots 

X-Coordinate 

Y-Coordinate 

Time  to  Failure  (hours) 

Median  Rank  (percent) 

5.005 

6.70 

6,000 

16.32 

7.000 

25.94 

8,500 

35.57 

9,750 

45.19 

10,075 

54.81 

13,025 

64.43 

15,000 

74.06 

15,050 

83.68 

18,200 

93.30 

3-54 


Const  Guard  IRA  Manual 


Overview  of  Methodologies 


Narrowly  Focused  Tools 


X2,Y2 


c 

o 

=} 

‘t— 

tli 

Q 

0) 

.> 

z> 

E 

3 

o 


The  characteristic  life,  h,  is  estimated  from  the  graph  at  the 
intercept  of  the  plotted  line  and  the  63.2%  CDF  value  by  drop¬ 
ping  a  vertical  line  to  the  x-axis.  For  the  example,  the  characteris¬ 
tic  life  of  the  log  splitter  indicates  that  after  approximately  1 2,000 
hours  of  operation  (3  years),  almost  two-thirds  of  the  log  splitters 
will  have  "worn  out." 

In  addressing  the  manufacturer's  original  question,  approxi¬ 
mately  4.5%  of  the  log  splitters  (determined  by  the  Y  value  corre¬ 
sponding  to  4,000  hours  on  the  time  to  failure  axis]  will  have  to 
be  replaced  with  new  log  splitters  in  the  4,000-hour  warranty 
period. 


Coast  Guard  IRA  Manual 


3-55 


Overview  of  Methodologies 


Narrowly  Focused  Tools 


Human  Reliability  Analysis 


SERIES  S  F  F  F 

PARALLEL  S  S  S  F 


TASK  “A"  -  THE  FIRST  TASK 
TASK“B"»  THE  SECOND  TASK 

a  >■  PROBABILITY  OF  SUCCESSFUL  PERFORMANCE  OF  TASK  “A" 

A  ■  PROBABIUTY  OF  UNSUCCESSFUL  PERFORMANCE  OF  TASK  “A" 
b|a  -  PROBABILITY  OF  SUCCESSFUL  PERFORMANCE  OF  TASK  “B” 

GIVEN  a 

B|a  -  PROBABIUTY  OF  UNSUCCESSFUL  PERFORMANCE  OF  TASK  “B” 

GIVEN  a 

b|A  >  PROBABILITY  OF  SUCCESSFUL  PERFORMANCE  OF  TASK  “B" 

GIVEN  A 

B|A  =  PROBABILITY  OF  UNSUCCESSFUL  PERFORMANCE  OF  TASK  "B" 

GIVEN  A 

FOR  THE  SERIES  SYSTEM: 

PrIS]  =  a(bta) 

PrIF]  »  1-a{bla)«a{B|a)*A(b|A)  +  A(B|A) 

FOR  THE  PARALLEL  SYSTEM: 

Pr[S]  >  1  •A(B|A)»a(b|a)4^a(B|a)+A(b|A) 

Pr[F]  »  A(B|A) 

Summary  of  Human  Reliability  Analysis  (HRA) 

Specialized  inductive  graphical  analysis  tool  (similar  in  form  to 
fault  tree  analysis  and  event  tree  analysis)  designed  for  evaluat¬ 
ing  human  sequential  operations.  Accounts  for  various  human 
errors  and  recovery  actions  as  well  as  equipment  failures. 

Brief  snmmarY  of  ehoraeteristies 

•  Systematic,  highly  structured  assessment  relying  on  the 
analyst's  experience  to  generate  a  comprehensive  review  and 
ensure  that  appropriate  safeguards  against  mishaps  are  in 
place 

•  Primarily  performed  by  an  individual  working  with  system 
experts  through  interviews  and  field  inspections 
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•  Generates: 

1 .  qualitative  descriptions  of  potential  mishaps  (combinations 
of  events  producing  various  types  of  mishaps  as  a  result  of 
human  errors  at  various  steps  of  a  procedure) 

2.  quantitative  estimates  of  mishap  frequencies/likelihoods 
and  relative  importances  of  various  accident  sequences/ 
contributing  events 

3.  lists  of  recommendations  for  reducing  risks 

4.  quantitative  evaluations  of  recommendation  effectiveness 

*  Quality  of  the  evaluation  depends  on  the  quality  of  the  system 
documentation,  the  training  of  the  analyst,  and  the  experience 
of  the  subject  matter  experts  assisting  the  analyst 

Most  eomnion  uses 

Exclusively  used  for  detailed  evaluation  of  human  operations 
(especially  procedural  tasks);  most  often  used  as  a  supplement  to 
a  broader  analysis  using  another  technique. 

Best  suited  for  situations  in  which  complex  combinations  of  er¬ 
rors/equipment  failures  are  necessary  for  mishaps  to  occur. 

Often  used  in  conjunction  with  checklist  analyses  that  focus  on 
specific  human  reliability  issues  such  as  error-likely  situations. 

HRA  example 

Assume  that  the  system  described  below  exists  in  a  process  unit 
recently  purchased  by  your  company.  As  the  manager,  the  safety 
of  this  unit  is  now  your  responsibility.  You  are  concerned  because 
your  process  hazard  analysis  team  identified  the  potential  for  an 
operator  error  to  result  in  a  rupture  of  the  propane  condenser. 

You  have  chartered  an  HRA  to  estimate  the  likelihood  of  the 
condenser  rupturing  as  the  result  of  such  an  error  and  to  identify 
ways  to  reduce  the  expected  frequency  of  such  ruptures. 

System  description 

Four  parallel  propane  condensers,  one  of  which  is  illustrated  in 
the  figure  below,  are  designed  with  a  450-psig  shell  pressure 
rating  and  a  1 25-psig  tube  pressure  rating.  The  propane  vapor 
pressure  is  controlled  at  400  psig;  the  cooling  water  flowing 
through  the  condenser  tubes  is  normally  maintained  at  75  psig. 
Liquid  propane  flows  out  of  the  condenser  as  soon  as  it  con¬ 
denses;  no  significant  inventory  of  liquid  propane  is  left  in  the 
condenser.  The  two  propane  isolation  valves  for  each  condenser 
are  rising-stem  gate  valves  with  no  labels.  The  two  water  isolation 
valves  for  each  condenser  are  butterfly  valves  with  no  labels. 

Their  handwheel  actuators  have  position  indicators. 
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A  tube  has  failed  in  one  of  the  four  condensers  about  once  every 
3  years.  If  a  condenser  tube  fails,  the  affected  condenser  can  be 
removed  from  service  by  closing  four  isolation  valves  (propane 
vapor  inlet  valve,  liquid  propane  outlet  valve,  cooling  v/ater 
supply  valve,  and  cooling  water  return  valve).  However,  if  a  tube 
fails,  it  is  essential  that  the  operator  close  the  two  propane  isola¬ 
tion  valves  before  closing  the  two  water  isolation  valves.  Closing 
the  two  water  valves  first  would  allow  pressure  to  build  on  the 
tube  side  of  the  condenser  and  rupture  the  tube  head. 

Anolyzed  system  conditions 

•  A  tube  has  failed  in  the  condenser 

•  The  low  depropanizer  pressure  alarm  has  sounded  in  the 
control  room 

•  The  experienced  field  operator  has  observed  water  and  gas 
spewing  from  the  hydrocarbon  vent  at  the  cooling  tower.  The 
field  operator  shouts  over  the  radio  that  a  propane  vapor  cloud 
appears  to  be  forming  and  moving  toward  the  control  room 

•  The  control  room  operator  has  directed  the  field  operator  to 
isolate  the  failed  condenser  as  quickly  as  possible  so  that  a  unit 
shutdown  will  not  be  necessary 

•  The  operator  must  close  the  valves  by  hand.  If  a  valve  sticks, 
there  is  no  time  to  go  get  tools  to  help  close  the  valve  —  the 
process  must  be  shut  down 

•  The  field  operator  has  correctly  identified  the  condenser  with 
the  failed  tube  by  the  sound  of  the  expanding  propane  and  the 
visible  condensation/frost  on  the  shell 
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Summary  of  Common  Cause  Failure  Analysis  (CCFA) 

Specialized  approach  for  systematically  examining  sequences  of 
events  stemming  from  the  conduct  of  operations  and/or  opera¬ 
tion  of  physical  systems  that  cause  multiple  failures/errors  to 
occur  from  the  same  root  causes,  thus  defeating  multiple  layers 
of  protection  simultaneously. 

Brief  smumary  of  characteristics 

•  Systematic,  structured  assessment  relying  on  the  analyst's 
experience  and  guidelines  for  identifying  potential  dependen¬ 
cies  among  failure  events  to  generate  a  comprehensive  reviev/ 
and  ensure  that  appropriate  safeguards  against  common 
cause  failure  mishaps  are  in  place 

•  Used  most  as  a  system-level  analysis  technique 

•  Primarily  performed  by  an  individual  v/orking  with  system 
experts  through  interviews  and  field  inspections 

•  Generates; 

1 .  qualitative  descriptions  of  possible  dependencies  among 
mishaps 

2.  quantitative  estimates  of  dependent  failure  frequencies/ 
likelihoods 

3.  lists  of  recommendations  for  reducing  dependencies  among 
failure  mishaps 

•  Quality  of  the  evaluation  depends  on  the  quality  of  the  system 
documentation,  the  training  of  the  analyst,  and  the  experience 
of  the  subject  matter  experts  assisting  the  analyst 
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System  Type 

Failure 
Probability 
Omitting  CCF 

Failure 
Probability 
Considering  CCF 

Mechanical,  1  train 

10-2 

10-2 

Mechanical,  2  redundant  trains 

10-» 

10-3 

Mechanical,  3  redundant  trains 

10^ 

5x10-* 

Mechanical,  2  diverse,  redundant  trains 

10-* 

2x10-* 

Electronic,  1  train 

10^ 

10-* 

Electronic,  2  redundant  trains 

10^ 

10-s 

Electronic,  3  redundant  trains 

10-12 

10-5 

Electronic,  2  diverse,  redundant  trains 

10-3 

10-6 
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Key 


terms; 

Sneak 

Sneak 

Sneak 

Sneak 

Sneak 

Sneak 


circuit 

timing 

paths 

indications 

labels 

clues 


Summary  of  Sneak  Circuit  Analysis  (SCA) 

Inductive  approaches  for  identifying  latent  paths  that  cause 
unv/anted  functions  to  occur  or  that  inhibit  desired  functions  in 
electromechanical  circuits. 

Brief  snmmary  of  eharaelerisiies 

•  Systematic,  structured  assessment  relying  on  analysis  rules  and 
experience  of  analysts  to  generate  a  comprehensive  review 
and  ensure  that  appropriate  safeguards  against  mishaps  are  in 
place 

•  Primarily  performed  by  an  individual  working  with  system 
experts  through  interviews  and  field  inspections 

•  Generates: 

1 .  qualitative  descriptions  of  circuit  weaknesses 

2.  statistical  estimates  of  failure  frequencies/likelihoods 

3.  lists  of  recommendations  for  reducing  risks 

•  Quality  of  the  evaluation  depends  on  the  quality  of  the  system 
documentation,  the  training  of  the  analyst,  and  the  experience 
of  the  subject  matter  experts  assisting  the  analyst 

Most  eomnien  nses 

Almost  exclusively  used  to  analyze  potential  failures  in  important 
(or  "critical")  electrical  circuits.  Most  often  used  as  a  supplement 
to  a  broader  hazard  analysis  using  another  more  general  tech¬ 
nique. 
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Example  1:  Sneak  timing  (digital  signals) 

Target:  Digital  Circuitry 

Problem:  Logic  and  timing  errors  caused  by  a  digital  signal  that 
splits  and  later  recombines. 

Solution:  Analyze  the  signal  path  through  a  complete  cycle  (e.g., 
on-off-on)  to  ensure  no  timing  skew  problems.  Timing  problems 
are  eliminated  by  providing  a  clocked  data  buffer  (e.g.,  latch)  to 
sample  stable  data  where  they  recombine. 

Comment:  Recombined  paths  often  lead  to  sneak  timing  as  a 
result  of  the  logic  functions  performed  along  each  path.  A  more 
commonly  encountered  problem  is  a  transient  signal  (glitch) 
caused  by  differences  in  the  signal  propagation  delay  between 
paths.  A  clocked  buffer  reduces  timing  ofbet  "skew"  by 
resynchronizing  the  signals.  The  problem  in  Figure  A  is  that  a 
glitch  occurs  at  the  output  of  gate  U4  during  the  brief  intenral 
that  the  skewed  output  signals  at  gates  U2  and  U3  are  both  high. 
The  solution  to  this  problem  is  shown  in  Figure  B,  where  the  glitch 
is  prevented  by  sampling  the  outputs  of  U2  and  U3  with  buffer 
U5  after  the  signals  have  completed  their  transitions. 

Recombining  digital  signals 


Figure  B 
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Example  2:  Sneak  path  (power  distribution  cirenits) 

Target:  Primary  and  secondary  power  distribution  circuitry  made 
up  of  power  sources,  ground  returns,  switches,  contacts,  relays, 
circuit  breakers,  fuses,  solid  state  switches,  and/or  connectors. 

Problem:  Asymmetrical  pattern  of  connections  for  power  distri¬ 
bution  and  ground  return  circuitry. 

Solution:  Use  the  same  circuit  connection  topology  for  the  supply 
side  and  ground  side  of  a  load.  Use  the  same  connector  for 
symmetrical  power  and  ground  connections. 

Comment:  Circuit  connection  symmetry  for  power  and  ground 
distribution  implies  an  identical  number  and  location  of  power 
and  ground  connections  feeding  a  load.  Asymmetrical  connec¬ 
tions  can  cause  sneak  paths.  The  problem  in  Figure  A  is  that 
power  connection  J3  has  no  counterpart  on  the  ground  side  of 
load  X2.  If  connections  J2  and  J3  are  open  while  J1 ,  J4-1 ,  and  J4- 
2  are  closed,  current  can  unintentionally  flow  in  the  reverse 
direction  through  X2.  The  solution  to  this  sneak  circuit  is  shown  in 
Figure  B  where  the  problem  is  eliminated  by  the  inclusion  of 
connection  J3-2. 


Figure  A  Problem  Figure  B  Solution 
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Software  Failure  Analysis 


Traditional  — techniques  such  as 

♦  fault  tree  analysis 
e  FMEA 

♦  review  of  procedures 
Specialized  —  numerous  models 
for  predicting  and  estimating 
software  reliability  (typically 
based  on  data  from  fault 
detection  activities) 


Summary  of  Software  Failure  Analysis 

Assortment  of  tools  for  managing  software  development  and 
predicting  software  reliability. 

Brief  summary  of  characteristics 

•  Structured  guidelines  and  experience  of  analysts  generate 
reviews  of  software  products  in  varying  levels  of  detail  and 
ensure  that  appropriate  safeguards  against  undesirable  events 
are  in  place 

•  Primarily  performed  by  an  individual  working  with  software 
experts  through  interviews  and  source  code  reviews 

•  Generates: 

1 .  qualitative  descriptions  of  software  weaknesses 

2.  statistical  estimates  of  failure  frequencies/likelihoods  for 
software  modules 

3.  lists  of  recommendations  for  reducing  risks 

•  Quality  of  the  evaluation  depends  on  the  quality  of  the  soft¬ 
ware  documentation,  the  training  of  the  analyst,  and  the 
experience  of  the  subject  matter  experts  assisting  the  analyst 

Most  common  uses 

Exclusively  used  to  analyze  potential  failures  in  important  (or 
"critical")  software  modules.  Most  often  used  as  a  supplement  to 
a  broader  analysis  using  another  more  general  technique. 
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Software  reliability  prediction  models 

•  Rome  Laboratory  TR-92-52 

•  Rome  Laboratory  TR-92-1 5 

•  Musa's  Execution  Time  Model 

•  Putnam's  Model 

•  Historical  Data  Collection 

Software  reliability  estimation  models 

•  Fault  Count 

-  Exponential 

-  Shooman  Model 

-  Lloyd-Lipow  Model 

-  Musa's  Basic  Model 

-  Musa's  Logarithmic  Model 

-  Goel-Okumoto  Model 

•  Historical  Data  Collection  Model 

•  Raleigh  Models 

-  Schnick-Wolverton  Model 

•  Weibull  Models 

•  Test  Coverage  Models 

-  IEEE  Test  Coverage  Model 

-  Leone's  Test  Coverage  Model 

-  Test  Success  Model 

•  Tagging  Models 

-  Seeding 

-  Dual  Test  Group  Model 

•  Bayesian  Models 

•  Thompson  and  Chelson's  Model 
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Summary  of 
Physics-ol- 
Failure  Modeling 

■  Understand  and 

operate  within  ^  § 
useful  life  1 1 

■  Find  ways  to 
extend  useful  life 


Region  of  strese/etrength 
interference  where 
failuree  can  occur 


Strength 


Summary  of  Physies-of-Failure  Modeling 

Defines  relationships  betv/een  key  technical  parameters  associ¬ 
ated  with  components  (e.g.,  number  of  cycles,  stress  loads,  expo¬ 
sures  to  energy  sources,  contact  with  various  materials)  and 
reliability-related  characteristics  (particularly  time  to  failure). 

Brief  summary  of  chorocteristics 

•  Highly  technical  in  nature 

•  Primarily  useful  to  designers,  but  can  be  beneficial  to  groups 
monitoring  equipment  performance  (operators,  maintenance 
technicians,  inspectors,  etc.) 

•  Addresses  a  wide  range  of  technical  topic  areas  and  disciplines 
(mechanics,  electronics,  structures,  etc.) 

•  Provides  insight  into  how  to  avoid  failures,  but  does  not  directly 
produce  recommendations 

■  Quality  of  models  depends  on  technical  understanding  of  the 
physics  affecting  failures 

Most  common  uses 

Used  in  virtually  all  industries  for  establishing  design  guidelines 
and  guidelines  for  monitoring/extending  field  use  of  equipment. 
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Worker  and  Instruction  Safety 
Evaluation 


(Potential  l*otential 

Loss*  Utt* 


Guide  Word  +  Worker  Action  «  Deviation 


Summary  of  Worker  and  Instrneiion  Safety  Evaluation 
(WISE) 

A  specialized  form  of  HAZOP  analysis  for  analyzing  human  activi¬ 
ties  through  the  use  of  guide  v/ords  customized  for  human 
factors  issues,  including  issues  historically  addressed  through 
job  task  analysis. 

Brie!  snmmary  of  characteristics 

•  Systematic,  highly  structured  assessment  relying  on  WISE  guide 
words  and  team  brainstorming  to  generate  a  comprehensive 
review  and  ensure  that  appropriate  safeguards  against  mis¬ 
haps  are  in  place 

•  Typically  performed  by  an  interdisciplinary  team  with  diverse 
backgrounds/experience  participating  in  group  review  meet¬ 
ings  of  system  documentation  and  field  inspections 

•  Generates  qualitative  descriptions  of  potential  mishaps  (devia¬ 
tions,  causes,  consequences,  and  safeguards)  as  well  as  lists  of 
recommendations  for  reducing  risks 

•  Quality  of  the  evaluation  depends  on  the  quality  of  the  system 
documentation,  the  training  of  the  review  team  leader,  and  the 
experience  of  the  review  team 

Most  common  uses 

Exclusively  used  for  detailed  evaluation  of  human  operations 
(especially  procedural  tasks);  most  often  used  as  a  supplement  to 
a  broader  hazard  analysis  using  another  technique. 

Best  suited  for  situations  where  relatively  simple  combinations  of 
errors/equipment  failures  are  necessary  for  mishaps  to  occur. 

Often  used  in  conjunction  with  checklist  analyses  that  focus  on 
specific  human  reliability  issues  such  as  error-likely  situations. 
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Example  results 


Job 

WISE 

Guide 

Potential 

Suggested 

Step 

Words 

Consequences 

Protection 

Improvements 

Skip  Debris  in  eye  (Step  4) 

Asphyxiation  (Step  4) 
Cylinder  movement 
(Step  4) 

Less  See  Skip 

Contact  with  Burned  by  steam 

Skip  Debris  in  eye  (Step  4) 

Toxic  exposure  (Step  3) 
Flammable  release  with 
possible  fire  (Step  4) 
Struck  by  pigtail  (Step  4) 


Safety  glasses 
Room  ventilation 
Cylinder  chained  to  rack 
Cracking  open  connection 
(Step  3) 


Insulated  piping 


Less 

Contact  with 

More 

Out  of 
sequence 

Caught 

between 


Caught 

between 

Struck  by 


See  Skip 
Burned  by  steam 
Debris  in  eye 
See  Skip  -  Step  1  or  2 


Hand  pinched  between  Gloves 
wrench  and  cylinder 


Safety  glasses  Wear  respiratory 

Fire  extinguishers  protection  when 

Fire  brigade  breaking 

Cracking  open  connection  connection. 

(Step  3)  Install  check  valve 

at  catalyst  pot 


Insulated  piping 
Safety  glasses 


Exposure  to 


Wrench  dropped 


Catalyst  backflow 
(See  Skip  -  Step  2) 

Adjustable  wrench  slips 
off  nut 


Hand  pinched  between 
wrench  and  cylinder 


Safety  shoes 


Tether  a  wrench 
near  the  cylinder 
so  it  cannot  hit  the 
worker's  foot 


Tether  a  correct- 
size  wrench  near 
the  cylinder 


Debris  from  connection  or  Safety  glasses  Install  check  valve 

line  Cracking  open  connection  at  catalyst  pot 

Pigtail  whipping  (Step  3) 

Cylinder  falling  over  Cylinder  chained  to  rack 


Exposure  to 


Wrench  dropped 


Asphyxiation 
(See  Skip  -  Step  1) 
Catalyst  backflow 
(See  Skip  -  Step  2) 

Adjustable  wrench  slips 
off  nut 


Safety  shoes 


Tether  a  wrench 
near  the  cylinder 
so  it  cannot  hit  the 
worker's  foot 


Tether  a  correct- 
size  wrench  near 
the  cylinder 
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Overview  of  the  IRA  Process 

The  Coast  Guard  Integrated  Risk  Assessment  (IRA)  process 
provides  the  Coast  Guard  with  the  means  to  effectively  manage 
and  control  loss  exposure  and  risk  at  its  units,  and  provides 
risk-based  information  to  aid  Coast  Guard  personnel  in  mak¬ 
ing  tactical  as  well  as  long-term  strategic  decisions. 

This  overview  is  divided  into  three  sections: 

Introduction  to  the  IRA  Process  —  a  brief  explanation  of  the 
process,  its  purpose  and  benefits,  how  it  will  affect  current 
Coast  Guard  activities,  and  its  development  and  testing 

Exploring  the  Key  Results  of  the  IRA  Process  —  a  brief 
explanation  of  the  key  results,  who  will  use  the  results,  and 
how  they  will  use  the  results 

Understanding  the  IRA  Process  —  a  brief  explanation  of  the 
basic  strategy,  key  participants,  key  elements,  and  interfaces  with 
other  Coast  Guard  programs/processes 
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Introdnction  to  the  IRA  Process 

■  What  is  the  IRA  process? 

■  Why  does  the  Coast  Guard  need  the  IRA 
process? 

■  What  benefits  will  the  Coast  Guard 
receive  from  the  IRA  process? 

■  How  will  the  IRA  process  change  current 
Coast  Guard  activities? 

■  How  was  the  IRA  process  developed? 

■  Has  the  IRA  process  been  tested? 


Introduction  to  the  IRA  Process 

I  What  is  the  IRA  process? 

The  IRA  process  is  a  proactive,  systematic  approach  for  under¬ 
standing  the  risk  associated  with  Coast  Guard  activities  and 
preventing  potential  mishaps  within  the  Coast  Guard  by: 

•  Identifying  how  inherent  hazards  associated  with  Coast 
Guard  operations/facilities  can  produce  potential  mishaps 

•  Characterizing  the  risks  of  the  potential  mishaps 

•  Assessing  the  types/levels  of  safeguards  needed  to  effectively 
manage  the  identified  risks 

•  Ensuring  that  safeguards  adopted  by  the  Coast  Guard  are 
effectively  implemented  in  the  field 

•  Developing  recommendations  for  reducing  risks  (i.e.,  im¬ 
provements  to  operations/facilities) 

•  Producing  risk  profiles  for  operations/facilities  that  Coast 
Guard  managers  can  use  to  manage  Coast  Guard  risks 

•  Providing  risk-based  information  to  aid  in  Coast  Guard 
decisions 

I  I  Why  does  the  Coast  Guard  need  the  IRA  process? 

The  Coast  Guard  is  working  to  improve  the  management  and 
control  of  risk  for  its  units  while  operating  with  limited  re¬ 
sources.  The  IRA  process  provides  a  systematic,  proactive  ap¬ 
proach  that  allows  Coast  Guard  management  the  opportunity 
to  eliminate  or  reduce  risks  to  an  acceptable  level  before 
accidents  occur,  and  provides  objective  means  to  determine 
where  the  Coast  Guard's  limited  resources  should  be  focused 
to  efficiently  reduce  risk.  Also,  the  risk-based  information 
available  from  the  IRA  process  helps  the  Coast  Guard  better 
understand  the  implications  Coast  Guard  decisions  have  on 
risk. 
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□  What  benefits  will  the  Coast  Guard  receive  from  the  IRA 
_ j  process? 

The  Coast  Guard  will  receive  the  following  benefits  from  the 
IRA  process: 

•  Effective  management  of  risks,  focusing  analysis  and  im¬ 
provement  resources  on  the  most  critical  areas 

•  Generation  of  cost/benefit  analysis  for  recommendations  to 
address  the  most  significant  risks  at  Coast  Guard  units 

•  Confidence  that  risk-based  information  is  being  systematically 
developed  and  applied  to  various  Coast  Guard  decisions 

How  will  the  IRA  process  change  current  Coast  Guard 
activities? 

The  IRA  process  is  anchored  on  hazard  analysis,  which  will  be 
performed  for  classes  of  Coast  Guard  vessels  and  at  Coast 
Guard  facilities.  In  the  future,  there  may  be  a  benefit  in  per¬ 
forming  a  hazard  analysis  for  each  vessel  and  facility  in  the 
organization.  Routine  health,  safety,  and  operations  surveys 
performed  by  the  Coast  Guard  will  be  focused  on  the  higher 
risk  areas  to  ensure  the  most  effective  use  of  resources.  Less 
risk-critical  areas  will  be  surveyed  on  a  less  frequent  basis.  A 
cost/benefit  analysis  for  implementing  recommendations  and 
deficiency  resolutions  will  be  irnplemented  to  ensure  Coast 
Guard  dollars  are  directed  towards  efficiently  maximizing  risk 
reduction.  Coast  Guard  decision  makers  will  have  the  opportu¬ 
nity  to  take  advantage  of  the  risk-based  information  from  the 
IRA  process  when  making  decisions. 


How  was  the  IRA  process  developed? 

The  Coast  Guard,  through  its  Research  and  Development 
Center  (RDC),  initiated  two  efforts  under  the  Loss  Exposure  and 
Risk  Analysis  Methodology  (LERAM)  project  to  improve  unit  risk 
management  activities.  The  RDC  teamed  with  JBF  Associates, 
Inc.  (JBFA),  a  consulting  firm  specializing  in  hazard  and  risk 
analysis/management.  These  efforts  focused  on: 

■  Developing  a  hazard  analysis  methodology  for  systematically 
identifying  and  characterizing  the  risks  of  potential  mishaps 
•  Improving  the  Coast  Guard's  current  safety  survey  practices 

The  RDC  and  JBFA  researched  existing  Coast  Guard  practices 
and  proven  risk  management  practices  throughout  various 
industries  to  develop  these  efforts.  The  IRA  process  refines  these 
efforts  and  integrates  them  into  an  effective  Coast  Guard  risk 
management  tool. 
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Has  the  IRA  process  been  tested? 

The  complete  IRA  process  has  been  tested  on  the  WHEC‘378 
vessel  class.  In  addition,  multiple  platforms  were  used  during 
early  development  validation  of  the  IRA  process.  Listed  in  the 
table  below  are  the  IRA  processes  and  the  various  platforms 
used  in  the  tests. 


IRA  Hazard  Analysis 

Coarse  Hazard  Analysis 

Detailed  Hazard  Analysis 

WHEC-378  MELLON 

WHEC-378  MUNRO.  Indnerator 

WLIC-160  KENNEBEC 

WLIC-160  KENNEBEC, 

Deck  Operations 

WMEC-270  HARRIET  LANE 

WMEC-270  HARRIET  LANE, 
Small  Boat  Operations 

IRA  Safety 
Survey 


WHEC-378 

SHERMAN 


ISC  Seattle 


MSO  New  Orleans 


WMEC-625  VENTUROUS 
Paragon  Project 


WMEC-378  MUNRO 
Exemplar  Project 
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Exploring  the  Key  Results 
ol  the  IRA  Process 

■  What  are  the  key  results  of  the  IRA 
process? 

■  Who  will  use  the  results? 

■  How  will  the  results  be  used? 

Exploring  the  Key  Results  of  the  IRA  Process 

What  are  the  key  results  of  the  IRA  process? 

Identification  of  hazards  and  their  associated  risk 


Coarse  Hazard  Analysis 

Operation/Evolution:  Working  aids  to  navigation 

Function:  Operating  iifting  equipment 

Frequency 

■ 

Doviation 

Causes 

Mishaps 

m 

B 

B 

Certainty 

Safeguards 

Recommendations 

1.1  Loss  of 
support 

Crane  cable/ 
rigging  failure 

Loss  of 
power  to  the 
crane 

Structural 
failure  in 
buoy  during 
lifting 

Equipment 

damage/loss 

Hazardous 

exposure: 

contact  injury 

(dropped 

objects. 

broken  lines, 

etc.) 

2 

2 

1 

0.0063 

High 

Boom  is 

inspected 

annually 

Crew  inspects 
crane  daily  and 
cable  annually 

Consider  a  formal 
preventive 
maintenance 
program  for  crane 
rigging  and 
hardware 

Consider  further 
investigation  of  the 
same,  particularly 
during  loss  of  power 

Risk  matrix  characterizing  the  platform 


A/B 

C 

D 

Continuous  (8) 

0 

0 

0 

Very  frequent  (7) 

0 

2 

2 

Frequent  (6) 

0 

5 

5 

Occasional  (5) 

1 

9 

9 

Probable  (4) 

2 

15 

22 

Improbable  (3) 

6 

14 

14 

Rare  (2) 

11 

17 

10 

Remote  (1) 

36 

20 

3 

Incredible  (0) 

9 

4 

0 

Number  of  Mishaps 
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Risk  ranked  functions  and  operations/evolntions 


Risk  Contribution 


Range  of  mishap  frequencies  for  assets 


Typical  Vessel 

Typical  Vessel 

Vessel  Class 

Frequency  Bounds  for 

Expected  Number  of 

Frequency  Bounds 

Vessel 

Mishaps  (per  year) 

Occurrences  over  50  Years 

for  Mishaps  (per  year) 

A/B 

C 

D 

A/B 

C 

D 

A/B 

c 

D 

Ciass 

Vessel 

0.13 

1.4 

26  to 

7  to  65 

70 

1300  to 

1.3 

14  to 

261  to 

Class  1 

to  1.3 

to  14 

261 

to  700 

13000 

to  13 

140 

2610 

Vessel 

0.002  to  0.03 

in^ii 

7t0 

10%  chance 

10  to 

350  to 

0.014  to 

1.4 

49  to 

Class  2 

to  2 

70 

to2 

100 

3500 

0.21 

to  14 

490 
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Cost/benefit  analysis  for  implementing  risk  rednction 
recommendations 


*A  rMMonaWe  eOlmme  e(  tawtnga  ki  only  eter  fesOMT  fwimv. 

tSovingo  ommolo  astumoo  CIom  A/B  miilMgo  eatt  $300,000  and  Oau  OD  miaJwpe  eaal  $30l000. 
e£stiniolad  total  coat  of  imptafnanting  raaonvnandatlot^ 

Mato:  Savtoga  ahoiwi  account  for  30  yaarito  ala  vaaaaL 

Prioritized  safety  survey  findings  for  eost/resonree  effective 
resolution 


Evaluation 

Point 

Affected  Deviation 
(Operation/ 
evolution 
Function 
Deviation) 

Baseline 

Frequency 

Scores 

Revised 

Frequency 

Scores 

Change 
in  RIN 

Risk 

Impact 

Finding 

A/B 

B 

B 

A/B 

B 

B 

No  record  of  a 
crane  inspection 
being  performed 
for  2  years 

N003 

Working  aids  to 
navigation 

Operating  lifting 
equipment 

Loss  of  support 

2 

3 

1 

5 

6 

1 

1 

Medium 

Other  hey  results 

•  Tracking  of  resolution  of  findings 

•  Means  to  measure  the  effectiveness  of  Coast  Guard  require¬ 
ments 

•  Risk-based  information  to  be  used  by  Coast  Guard  decision 
makers 

Who  will  nse  the  results? 

•  Procurement  managers 

•  Engineering  managers 

•  Facilities  managers 

•  Unit  commands 

•  Safety  professionals 

•  Senior  management 
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How  will  the  results  be  used? 

Risk-based  information  from  the  IRA  process  will  be  used  in  all 
types  of  Coast  Guard  activities.  The  table  on  the  next  two 
pages  lists  Coast  Guard  life  cycle  activities.  Along  with  each 
activity  are  uses  of  the  IRA  information  and  example  outcomes 
of  using  the  information. 
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Type  of 
Activity 

Use  of  IRA  Process 

Example  Outcomes 

Procurement 

identification  of  major  hazards 
(including  human  factors  issues)  and 
required  hazard  controls  while 
developing  bid  specifications  for  major 
acquisitions  (e.g.,  new  vessels  or 
major  onboard  systems) 

Requiring  built-in  redundancy  for 
specific  components  of  a  vessePs 
automated  navigation  system 

Risk-based  selection  (including 
consideration  of  other  factors,  such  as 
cost)  among  competing  design 
alternatives  for  major  acquisitions 

Determining  (and  documenting)  that 
Design  A  provides  "best  value"  to  the 
Coast  Guard  because  it  poses 
significantty  less  risk  of  major  losses 
than  Design  B,  which  is  slightly  less 
expensive 

Construction, 
Fabrication,  and 
Commissioning 

Identification  of  design  weaknesses, 
safe  operating  limits,  critical  preventive 
maintenance  tasks,  human  factors 
issues,  etc,  for  selected  systems  (i.e., 
those  that  could  lead  to  losses  of 
interest)  after  the  final  design  is 
complete  for  major  acquisitions 

Requiring  an  audible  alarm  and 
semiannual  calibration  of  fathometers 
for  a  vessel 

Evaluation  of  proposed  changes  and 
identified  nonconformances  from  the 
approved  design 

Approving  a  proposed  field  change  (or 
a  recognized  nonconformance)  in  the 
routing  of  a  high-pressure  steam  line 
because  the  new  routing  poses  no 
Identifiable  increase  in  risks  to 
personnel  or  equipment 

Vessel 

Operations  and 
Maintenance 

Identification  of  precautions  to  be 
taken  in  performing  operations  outside 
of  prescribed  limits  (case-by-case 
basis  for  decisions  made  by  vessel- 
board  personnel) 

Establishing  more  stringent 
maneuvering  restrictions  and 
additional  watch  requirements  for 
performing  a  search  and  rescue  (SAR) 
operation  in  extreme  weather 
conditions  that  would  nomnally  cause 
discontinuation  of  the  operation 

Identification  of  precautions  to  be 
taken  in  preparation  for  performing 
operations  when  relevant  vessel 
systems  will  be  unavailable  (case-by¬ 
case  basis  for  operations/efficiencies 
identified  by  vessel-board  personnel) 

Posting  additional  watches  and 
conducting  special  operations  briefings 
before  conducting  an  operation 

Evaluation  of  proposed  changes  and 
identified  nonconformances  from  the 
standard  vessel  configuration  (case- 
by-case  basis  for  changes  suggested 
and  approved  by  vessel-board 
personnel) 

Rejecting  a  request  to  temporarily 
store  equipment  on  the  deck  while  a 
storage  locker  is  being  replaced 
because  the  movement  of  the 
equipment  under  expected  high  seas 
could  lead  to  losses  of  interest 

Identification  of  weaknesses  in 
procedures  that  could  lead  to  tosses  of 
interest  (case-by-case  basis  for 
procedures  developed  and  approved 
by  vessel-board  personnel) 

Revising  vague  steps  of  a  procedure 
(e.g.,  "open  the  valve  slightly"), 
because  a  human  error  associated 
with  the  operation  could  lead  to  a  loss 
of  interest 

Area,  District,  or 
Group 

Management  of 
Operations  and 
Maintenance 

Identification  of  design  weaknesses, 
safe  operating  limits,  critical  preventive 
maintenance  tasks,  human  factors 
issues,  etc.,  for  selected  systems  (i.e., 
those  that  could  lead  to  losses  of 
interest)  aboard  existing  ships  that  did 
not  receive  such  reviews  before  being 
placed  in  operation 

Recommending  redesign  of  a  small 
craft  launching  system  component  that 
could  inadvertently  trigger  a  release  of 
a  boat 
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Type  of 
Activity 

Use  of  IRA  Process 

Example  Outcomes 

Area,  District,  or 
Group 

Management  of 
Operations  and 
Maintenance 
(continued) 

Identification  of  safe  operating  limits 
(from  an  operations/command 
perspective  rather  than  a  hardware 
system  design  perspective,  which  was 
addressed  during  design  reviews)  and 
preferred  precautions  to  be  taken  if 
operating  outside  of  such  restrictions 

Prohibiting  aircraft  fueling  operations 
and  other  flammable  material  handling 
activities  until  disabled  onboard 
firefighting  systems  are  returned  to 
service,  but  allowing  emergency 
fueling  operations  if  another  onboard 
pump  can  be  rigged  to  temporarily 
provide  adequate  firefighting 
capability 

identification  of  critical  training  topics, 
standard  procedures  necessary,  etc., 
for  preventing  tosses  of  interest 

Deciding  to  write  a  special  procedure 
and  conduct  special  training  for  the 
proper  way  to  launch  a  new  type  of 
small  craft  (because  the  operation  is 
significantly  different  from  similar 
operations  with  older  small  craft) 

Identification  of  weaknesses  in 
procedures  and  human  factors  issues 
that  could  lead  to  losses  of  interest  (for 
standard  procedures  applicable  to  a 
class  of  vessels  or  the  entire  fleet) 

Making  the  units  of  pressure 
referenced  in  a  procedure  (e.g.,  SI 
units)  consistent  with  those  commonly 
used  aboard  a  vessel  and  on  the 
vessel's  gauges  (e.g..  English  units)  to 
help  prevent  confusion  that  could  lead 
to  an  operating  error 

Evaluation  of  proposed  changes  for 
standard  vessel  configurations  (case- 
by-case  basis  for  changes  approved 
by  groupAfleet  officers) 

Deciding  (1)  against  a  crew  reduction 
aboard  an  MEC  270  cutter  because  of 
unacceptable  risks  associated  with 
degraded  watch  standards  or  (2)  in 
favor  of  a  crew  reduction,  provided 
that  each  vessel  is  equipped  with  new 
navigation  and  vessel  detection 
systems 

Monitoring  profiles  of  risks  for  classes 
of  vessels  across  the  Coast  Guard  to 
help  understand/manage  risks  at  a 
fleet  level 

Determining  that  a  specific  class  of 
vessel  is  the  next  to  receive  a  major 
overhaul  (or  replacement)  program 
because  of  high  loss  rates 

Assigning  measures  of  importance  to 
safety  inspection  items  to  help 
prioritize  responses  to  noted 
deficiencies 

Deferring  resolution  of  a  few 
deficiencies  noted  during  a  safety 
inspection  until  next  fiscal  year 
because  the  deficiencies  do  not  pose 
any  significant  risks  of  losses 

Risk-based  selection  (including 
consideration  of  other  factors,  such  as 
cost)  among  competing  alternatives 
such  as  vessel  deployment,  mission 
assignments,  etc 

Deciding  to  send  Vessel  A  on  an 
extended  international  tour  because 
the  potential  for  losses  associated  with 
(1)  its  tour  and  (2)  its  absence  from  Its 
normal  station  are  less  than  those  for 
Vessel  B 

Decommis¬ 

sioning 

Risk-based  selection  (including 
consideration  of  other  factors,  such  as 
cost  and  political  pressure)  among 
competing  alternatives  for  vessel/ 
station  decommissioning 

Deciding  (and  gaining  support  for  the 
decision)  to  decommission  Vessel  B 
instead  of  Vessel  A.  even  though  there 
is  some  political  support  for  keeping 
Vessel  B  in  service 

Identification  of  weaknesses  in 
equipment  used  for  decommissioning 
and  associated  procedures  that  could 
lead  to  losses  of  interest 

Modifying  the  equipment  and 
procedures  used  to  de-inventory 
hazardous  materials  from  a  vessel 
while  the  vessel  is  being 
decommissioned 
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Understanding  the  IRA  Process 

■  What  is  the  basic  strategy? 

■  Who  are  the  key  participants? 

■  What  are  the  key  elements? 

■  What  are  the  interfaces  with  other  Coast 
Guard  programs/processes? 


Understonding  the  IRA  Process 
I  I  What  is  the  basic  strategy? 

Identify  hazards  and  their  associated  risk  and  then  manage  the 
risk  with  the  goal  of  continuously  reducing  risk  to  a  level  ac¬ 
ceptable  for  the  Coast  Guard 

I  I  Who  are  the  key  participants? 

There  are  four  groups  within  the  Coast  Guard  who  will  partici¬ 
pate  in  the  IRA  process: 

Sponsor  —  This  individual  or  group  of  individuals  (e.g.,  a  unit 
commanding  officer.  Coast  Guard  management,  unit  safety 
coordinator)  determines  the  need  for  the  process  to  be  per¬ 
formed  on  a  particular  vessel  or  at  a  particular  facility.  The 
sponsor  is  ultimately  responsible  for  obtaining  Information 
from  the  process. 

Analyst  —  This  individual  or  group  of  individuals  (e.g.,  MLC 
Health  and  Safety  personnel,  vessel  safety  coordinator)  is  respon¬ 
sible  for  performing  the  process  on  a  particular  vessel  or  at  a 
particular  facility. 

Subject  matter  expert  —  This  group  of  individuals  (e.g.,  vessel 
crew,  facility  staff)  participates  in  the  process  by  providing 
specific,  detailed  information  needed  to  assess  risks. 

Decision  maker  —  This  individual  or  group  of  individuals 
(e.g.,  a  unit  commanding  officer.  Coast  Guard  management. 
Coast  Guard  Vessel  Safety)  uses  the  IRA  process  information  to 
make  risk-based  decisions. 
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I  j  What  Are  the  Key  Elements? 


The  IRA  process  has  two  distinct,  yet  closely  related,  parts:  (1) 
hazard  analysis  and  (2)  risk-based  safety  surveys. 


Hazard  analysis 

•  The  objectives  of  hazard  analysis  include: 

-  fewer  mishaps  over  the  life  of  the  unit 

-  reduced  consequences  when  mishaps  occur 

-  improved  training  and  understanding  of  system  interactions 
and  the  effect  of  the  human  element 

-  more  efficient  and  productive  mission  execution 

•  A  hazard  analysis  involves: 

-  identifying  hazards  systematically 

-  postulating  combinations  of  equipment  failures/human 
errors/external  events  that  allow  the  hazards  to  cause 
mishaps 

-  characterizing  the  risks  of  the  potential  mishaps 

-  identifying  the  most  significant  contributors  to  risk 

-  providing  summaries  of  risk  profiles  associated  with  various 
assets 

-  developing  effective  recommendations  for  better  manage¬ 
ment  of  the  known  risks 

The  hazard  analysis  portion  of  the  IRA  process  includes  a  set  of 
tools  for  performing  different  types  of  hazard/risk  analysis  at 
various  levels  of  detail. 
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IRA  Process 


I  Hazard  Analysis  I 


Coarse  hazard  analysis 


I  •  OetMled  haurd  analysts 


1 


Risk-based 
Safety  Survey 


Coarse  hazard  analysis  —  Coarse  hazard  analysis  is  the 
cornerstone  and  workhorse  of  the  hazard  analysis  methodol¬ 
ogy  for  the  Coast  Guard.  It  is  designed  to  satisfy  most  of  the 
Coast  Guard's  needs  for  hazard/risk  information  in  a  practical 
and  efficient  manner.  This  method  provides  all  of  the  types  of 
results  of  more  detailed  evaluations,  but  with  a  lower  degree  of 
resolution.  The  following  are  characteristics  of  coarse  hazard 
analyses: 

•  Generally  applicable  to  all  types  of  Coast  Guard  platforms 

•  Capable  of  satisfying  60%  to  90%  of  the  Coast  Guard's 
hazard/risk  analysis  needs  without  requiring  the  use  of  more 
detailed  techniques 

•  Streamlined  enough  for  efficient  application  without  requir¬ 
ing  extremely  extensive  evaluations 

•  Can  be  used  by  Coast  Guard  personnel  with  modest  hazard 
analysis  experience 

•  Built  on  solid  hazard  evaluation  fundamentals  that  use  not 
only  historical  perspective  but  also  predictive  reasoning 


Detailed  hazard  analysis  —  Detailed  hazard  analysis  tech¬ 
niques  are  standard  industry-proven  hazard/risk  analysis  meth¬ 
ods  providing  better  resolution  of  potential  mishap  scenarios 
and  more  certainty  in  risk  characterization  of  mishap  sce¬ 
narios.  For  this  reason,  the  IRA  process  includes  an  assortment 
of  detailed  hazard  analysis  tools  that  can  be  used  for  specific 
Coast  Guard  applications.  These  methods  typically  require 
more  advanced  levels  of  training  for  successful  application  and 
are  used  only  when  more  detailed  analysis  is  warranted. 
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I  I  Risk-based  safety  survey 

•  •  The  objectives  of  a  risk-based  safety  survey  include: 

_____  -  focusing  on  the  most  significant  risks 

- -  providing  more  objective  prioritization  of  findings 

-  allowing  more  efficient  use  of  resources 

-  resolving  root  causes  of  findings 

-  developing  safeguard  dependability  information 

-  improving  Coast  Guard  standards  and  requirements 

•  A  risk-based  safety  survey  involves: 

- -  focusing  field  observations  and  reviews  on  the  most  risk 

significant  areas 

-  identifying  nonconformances  to  requirements,  as  well  as 
nonconformance  trends,  through  interviews  with  personnel, 
field  observations,  and  documentation  reviews 

-  determining  the  underlying  root  cause(s)  of  the  findings 

'  -  prioritizing  the  findings  and  resolving  higher  risk  findings  first 

to  efficiently  and  economically  use  resources 

-  tracking  the  resolution  of  findings  to  ensure  recommendations 
for  correcting  problems  are  resolved  in  a  timely  manner 

I  I  Although  hazard  analyses  are  useful  for  determining  what  types 

- y  and  levels  of  protection  should  be  in  place  to  effectively  control 

the  risks  of  potential  mishaps,  the  benefits  of  such  analyses  can 
be  realized  only  if  proper  field  implementation  of  the  planned 
protections  is  accomplished.  Risk-based  safety  surveys  help  to 
manage  risk  by  ensuring  requirements  specifying  protections/ 
safeguards  are  being  implemented. 

The  responsibility  and  authority  for  ensuring  that  planned 
protections  are  in  place  and  working  effectively  rests  with 
the  unit  commanding  officers  and  their  staffs. 

The  units  must  understand  the  required  protective  measures  and 
make  implementation  a  high  priority.  The  IRA  process  assumes 
that  acceptance  of  this  basic  obligation  exists  and  that  units  are 
conducting  their  own  self-surveys  to  verify  their  conformance  with 
established  requirements.  To  help  ensure  that  units  are  responsi¬ 
bly  fulfilling  their  obligations  and  to  provide  units  with  frequent 
access  to  experts  in  the  required  protections,  the  IRA  process 
includes  safety  surveys  by  third  parties  (e.g..  Maintenance  and 
Logistics  Command  [MLC]  personnel  independent  of  the  unit 
being  evaluated).  These  third-party  surveys  complement  (not 
replace)  unit  self-surveys. 
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Understanding  the  Process 


□ 


What  are  the  interfaces  with  other  Coast  Guard  programs/ 
processes? 

Training  program 


The  IRA  process  identifies  higher  risk  areas  that  require  addi¬ 
tional  training  and  lower  risk  areas  where  training  may  not  be 
justified  from  a  risk  standpoint. 


Procedure  program  (operational,  maintenance,  safety,  etc.) 

As  with  the  training  program,  the  IRA  process  identifies  higher 
risk  areas  that  require  additional  or  modified  procedures  and 
lower  risk  areas  where  procedures  or  the  extent  of  the  procedures 
may  not  be  justified  from  a  risk  standpoint. 

Management  of  chonge/configuration  management 

The  IRA  process  provides  information  for  evaluating  risk  im¬ 
pacts  of  proposed  changes  to  a  system,  process,  or  procedure. 

Inspection,  test,  and  preventive  maintenance  programs 

The  IRA  process  identifies  and  prioritizes  inspection,  test,  and 
preventive  maintenance  activities  for  systems/equipment  associ¬ 
ated  with  higher  risk  scenarios. 


Quality  assurance  programs 

The  IRA  process  identifies  and  prioritizes  quality  assurance  tests 
necessary  for  systems  and  activities  associated  with  higher  risk 
scenarios. 


Contingency  and  emergency  planning 

The  IRA  process  identifies  possible  and  most  likely  mishaps  and 
their  severity  for  use  in  contingency  and  emergency  planning. 
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Introduction 


Coarse  Hazard  Analysis 


The  IRA  Coarse  Hazard  Analysis 

■  Introduction 

■  Performing  a  coarse  hazard  analysis 

■  Updating  a  coarse  hazard  analysis 

■  Information  exchange  between  the  coarse 
hazard  analysis  and  the  risk-based  safety 
survey 

■  Making  decisions  using  the  coarse  hazard 
analysis 

■  Evaluating  change  using  a  coarse  hazard 
analysis 
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Introduction 


The  IRA  Coarse  Hazard  Analysis 


■  Introduction 


■  Performing  a  coarse  hazard  analysis 

■  Updating  a  coarse  hazard  analysis 

■  Information  exchange  between  the  coarse 
hazard  analysis  and  the  risk-based  safety 
survey 

■  Making  decisions  using  the  coarse  hazard 
analysis 

■  Evaluating  change  using  a  coarse  hazard 
analysis 


Coast  Guord  Coarse  Hazard  Analysis 


IRA  Process 


I  Hazard  Analysis  I 


Coarse  hazard  analysis 


•  Detailed  hazjrd  analysis 


1 


Risk-based 
Safety  Survey 


The  coarse  hazard  analysis  process  is  designed  to  satisfy  most 
of  the  Coast  Guard's  needs  for  hazard/risk  information  in  a 
practical  and  efficient  manner.  The  analysis  systematically 
identifies  risk  by  postulating  combinations  of  failures,  errors, 
and  events  that  lead  to  mishaps,  and  characterizing  the  risks  of 
those  mishaps.  The  analysis  also  identifies  the  most  significant 
contributors  to  risk,  provides  summaries  of  risk  profiles  for  the 
unit  class,  and  develops  recommendations  for  better  manage¬ 
ment  of  known  risks. 
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The  IRA  Coarse  Hazard  Analysis 

■  Introduction 


■  Performing  a  coarse  hazard  analysis 


■  Updating  a  coarse  hazard  analysis 

■  Information  exchange  between  the  coarse 
hazard  analysis  and  the  risk-based  safety 
survey 

■  Making  decisions  using  the  coarse  hazard 
analysis 

■  Evaluating  change  using  a  coarse  hazard 
analysis 


Performing  a  Coarse  Hazard  Analysis 

This  section  describes  the  detailed  steps  involved  in  performing  a 
coarse  hazard  analysis. 
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Performing  an  Analysis 


Overview  of  the  Steps  for  Performing  a  Coarse  Hazard 
Analysis 

1.  Determine  the  scope  of  the  coarse  hazard  analysis 

Determining  the  scope  includes  identifying  the  hazards,  mis¬ 
haps,  operations/evolutions,  functions,  and  locations  that  will 
be  analyzed. 

2.  Screen  low  risk  operations/evolutions,  functions, 
deviations,  and  locations 

Screening  items  streamlines  the  analysis  by  eliminating  in- 
depth  review  of  low  risk  items. 

3.  Analyze  deviations 

Evoluote  the  deviations  of  eoeh  function  for  all  operations/ 
evolutions  within  the  scope  of  the  analysis. 

Evaluating  deviations  is  the  fundamental  activity  In  the  coarse 
hazard  analysis.  This  involves  identifying  mishaps,  causes,  and 
safeguards. 

Characterize  deviation  risk 

Characterizing  the  risk  associated  with  deviations  involves  assign¬ 
ing  risk  scores,  risk  index  numbers  (RINs),  and  certainty  of  the  risk 
estimate  to  each  deviation. 
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Performing  an  Analysis 


Develop  recommendations 

Often,  deviation  risk  is  high  or  uncertain,  and  recommenda¬ 
tions  to  lower  the  risk  or  recommendations  for  further  analysis 
are  necessary. 

4.  Generate  a  risk  profile 

Determine  the  risk  contribution  of  deviations 

This  step  explains  how  to  identify  the  deviations  that  are  the  high 
risk  contributors. 

Determine  the  risk  contribution  of  functions 

This  step  explains  how  to  determine  which  functions  are  the  high 
risk  contributors. 

Determine  the  risk  contribution  of  operations/evolntions 

This  step  explains  how  to  determine  which  operations/evolutions 
are  the  high  risk  contributors. 

Determine  the  risk  contribution  of  locations 

This  step  explains  how  to  determine  which  locations  are  the  high 
risk  contributors. 

Generate  a  risk  matrix 

This  step  explains  how  to  build  the  risk  matrix.  A  risk  matrix 
illustrates  the  distribution  of  deviations  in  various  frequency 
categories. 

Determine  the  unit  class  range  of  mishap  frequencies 

This  step  explains  how  to  determine  the  estimated  frequency  of 
each  class  of  mishap  occurring  for  a  unit  class. 

Compare  frequency  estimates/historical  experience 

Performing  this  step  compares  the  estimated  frequencies  of 
mishaps  with  the  historical  Coast  Guard  experience. 

5.  Evaluate  the  benefit  of  risk  reduction 
recommendations 

Determine  revised. frequency  scores  and  RlNs 

This  step  explains  how  to  determine  revised  frequency  scores 
and  RINs  for  deviations  affected  by  the  recommendation. 

Determine  the  benefit  of  implementing  recommendations 

Performing  this  step  involves  calculating  the  range  of  estimated 
benefit  (risk  reduction)  from  implementing  a  recommendation. 
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Performing  an  Analysis 


1.  Determine  the 
scope  of  the 
coarse  hazard 
analysis 


A.  Identify  the 
hazards  and 
mishaps  of 
concern 


2,  Screen  low  risk 

/  " 

ops/evs. 

/  B.  Identify  the 

functions. 

^  operations/ 

deviations,  and 

\  evolutions 

locations 

\  > 

3.  Analyze 
deviations 


4.  Generate  a  risk 
profile 


5.  Evaluate  the 
benefit  of  risk 
reduction 
recommendations 


C.  Identify  the 
functions 


D.  identify  the 
locations 


E.  Associate 
functions 
with  hazards 


Step  1  Determine  the  Scope  of  the  Coarse  Hazard  Analysis 

To  determine  the  scope  of  a  coarse  hazard  analysis,  identify 
hazards  and  mishaps  of  concern,  operations/evolutions,  func¬ 
tions,  and  locations  within  the  unit  associated  with  the  unit 
class  under  review. 
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Performing  an  Analysis 


Step  IJl 


Identify  the  hazards  and  mishaps  of  concern 


Identif/ing  and  reviewing  the  hazards  and  mishaps  of  concern 
to  the  unit  (or  class  of  unit)  are  important  to  the  success  of  the 
analysis.  The  analysis  team  needs  a  good  understanding  of  the 
hazards  to  effectively  investigate  each  mishap  scenario. 

Example:  hazard  -  flammable  materials 

•  Gasoline  (pumps  and  outboard  motors) 

•  Paint  lockers  (paints,  thinners,  etc.) 

•  Acetylene 

•  Solvents/cleaners 

•  Hydrogen  (from  batteries) 

The  table  on  the  following  pages  is  an  example  hazard  and 
mishap  identification  guide.  A  guide  such  as  this  should  be  devel¬ 
oped  and  used  during  the  analysis. 
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Hazard 

Categories 

Hazards 

Vessel-specific  Hazards 
Common  to  Coast  Guard  Vessels 

Potential  Mishaps  of  Interest 

Kinetic  energy 

Vessel  motion 

Underway  motion 

Pitch 

Roll 

Collision  with  another  vessel 

Collision  with  a  fixed  object 

Collision  with  a  floating  object 

Grounding  vessel 

Capsizing  vessel 

Sinking  vessel 

Equipment  damage/loss 

Person  overboard 

Hazardous  exposure:  contact  injury 

Motion  of 
objects 

external  to  the 
vessel  (other 
vessels, 
floating 
objects,  helos, 
etc.) 

Underway  motion  (near  Coast  Guard 
vessel/boat) 

Pitch  (alongside  Coast  Guard  vessel/boat) 
Roll  (alongside  Coast  Guard  vessel/boat) 

Collision  with  another  vessel 

Collision  with  a  floating  object  (logs, 
buoys,  etc.) 

Collision  with  helo 

Equipment  damage/loss  (from  wake  action 
or  helo  downwash) 

Person  overboard  (from  wake  action  or 
helo  downwash) 

Onboard 

equipment 

motion 

Rotating  equipment 

Drive  trains,  belts,  shafting,  gears,  etc. 
Cranes 

Anchors 

Gun  mounts 

Ammunition  loaders 

Ground  tackle 

Radar  antennas 

Unsecured  gear 

Power  tools 

Hatches 

Hazardous  exposure:  contact  injury 
(broken/misoperated/unsecured 
equipment) 

Personnel 

motion 

Movement  on  board  ship 

Person  overboard 

Hazardous  exposure:  contact  injury 

Potential 

energy 

Elevated 

objects 

Small  boats 

Objects  held  by  cranes/lifts  (stores, 
equipment,  buoys,  ammunition) 

Equipment  stored  on  shelves 

Unsecured  equipment  (e.g.,  tools)  on 
elevated  platforms 

Hazardous  exposure;  contact  injury 
(dropped  equipment) 

Equipment  damage/loss  (dropped 
equipment) 

Flotation 

Water 

Sinking  vessel 

Elevated 

personnel 

Personnel  on  ladders 

Personnel  on  platforms 

Hazardous  exposure:  contact  injury 

Personal 

flotation 

Water 

Drowning 

Hazardous  exposure:  contact  injury 

High  pressure 

Compressed  air  system 

Compressed  gas  tanks 

Hydraulic  systems 

Fire  hoses 

Hazardous  exposure:  contact  injury 
(release  of  high  pressure) 

Equipment  damage/ioss  (release  of  high 
pressure) 

Tension/ 

Compression 

Tow  lines 

Mooring,  intervessel  tension  cables,  and 
other  tension  lines 

Spring-loaded  actuators 

Ground  tackle 

Lift  cables/rigging 

Hazardous  exposure:  contact  injury 
Equipment  damage/loss 

Capsizing  vessel  (towed  vessel) 
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Hazard 

Categories 

Hazards 

Vessel-specific  Hazards 
Common  to  Coast  Guard  Vessels 

Potential  Mishaps  of  Interest 

Electrical 

energy 

Electric  power 

Generators 

Batteries 

Distribution  system 

Welding 

Toois/appliances 

Hazardous  exposure:  electrical  shock 
Fire/explosion  (electrical) 

static 

Fuel  lines 

Helo  operations 

Hazardous  exposure:  electrical  shock 
Fire/explosion  (electrical) 

Equipment  damage/loss  (electrical  power 
deviation) 

Thermal  energy 

Hot  materials 

Steam 

Hot  water  system 

Jacket  water  piping  in  engine  room 

Galley 

Lube  oil 

Diesel  exhaust 

Hazardous  exposure:  hot  environment/ 
surface/material  (bums) 

Equipment  damage/loss  (excessive 
temperature) 

Hot  surfaces 

Steam  lines 

Hot  water  lines 

Heaters 

Motors 

Failed  bearings 

Engine  room  surfaces 

Galley  equipment 

Welding  areas 

Guns 

Hazardous  exposure:  hot  environment/ 
surface/material  (bums) 

Hot 

environments 

High  temperature  in  engine  room 

High  temperature  where  delicate  electrical 
equipment  is  in  use  (e.g.,  CIC) 

High  temperature  on  deck 

Hazardous  exposure:  hot  environment/ 
surface/material  (heat  stress) 

Equipment  damage/loss  (electrical 
equipment  fails  in  high  temperature 
environment) 

Cold  materials 

Autorefrigeration  of  compressed  gases 

Hazardous  exposure:  cold  environment/ 
surfece/material  (frostbite) 

Cold 

environments 

Low  temperature  on  deck 

Low  temperature  water 

Walk-in  freezer 

Hazardous  exposure:  cold  environment/ 
surface/material  (frostbite/hypothermia) 

Acoustic 

energy 

Noise 

Engine  room 

Gunfire 

Pile  driving 

Power  tools 

Hazardous  exposure:  noise  (>84dB) 

Hazardous 

materials 

Flammables 

Gasoline  (pumps  and  outboard  motors) 
Paints  locker  (paints,  thinners,  etc.) 
Acetylene 

Solvents/cleaners 

Hydrogen  (from  batteries) 

Rre/explosion  (flammable  material) 

Combustibles 

JP-5  (helo  fuel) 

Diesel  fuel  oil  (vessel  fuel) 

Hydraulic  fluids 

Lube  oil 

Foam,  plastics,  etc. 

Oily  rags,  damp  manila  lines,  etc. 
(spontaneous  combustion) 

Fire/explosion  (combustible  material) 
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Hazard 

Categories 

Hazards 

Vessel-specific  Hazards 
Common  to  Coast  Guard  Vessels 

Potential  Mishaps  of  interest 

Hazardous 

materials 

(continued) 

Explosives 

Pyrotechnics 

Ammunition 

Chaff  system 

Fire/explosion  (explosive  energy  release 
affects  equipment/people) 

Toxics 

Paint  locker 

Solvents/cleaners 

Asbestos 

CFCs 

Lead  paints 

Benzene  in  some  products 

PCBs 

Combustion  products  from  fires 
(particularly  involving  plastics,  foams, 
insulations,  etc.) 

Hypochlorite  and  bromine  (water 
treatment) 

Confiscated  materials 

Chemical  locker  in  engine  rooms 

Hazardous  exposure:  toxic/corrosive 
materials 

Reactives 

OBA  canisters  (internal  reaction) 
Pyrotechnics  (with  salt  water) 

Fire/explosion  (violent  reaction  between 
pyrotechnics  and  salt  water) 

Corrosives 

Battery  acid 

Hypochlorite  and  bromine  (water 
treatment) 

AFFF 

Spent  OBA  canisters 

PKP 

Hazardous  exposure:  toxic/corrosive 
materials  (release  of  corrosive  material) 

Asphyxiants 

Halon  1 

CO2 

Refrigerants 

Nitrogen 

Potentially  oxygen-deficient  atmospheres 
(confined  spaces,  especially  where 
painting  is  occurring) 

Combustion  products  (CO  and  CO2) 

Steam 

Hazardous  exposure:  asphyxiants  (people 
suffer  oxygen  deprivation) 

Biological 

materials 

infectious  disease 

Hazardous  exposure:  biological  materials 
(infectious  diseases) 

Radiation 

Nonionizing 

radiation 

Radar 

HF  communications 

Hazardous  exposure:  radiation 
(nonionizing) 

Weapons 

Guns 

Small  arms 

Large  caliber  weapons 

Firearm  discharge 

Fire/explosion  (explosion  inside  of 
weapon) 
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Step  1.B 


Identify  the  operations/evolutions  performed  by  the 
vessel  being  analyzed 

Operation/evolution  —  a  specific  operational  mode  of  a  Coast 
Guard  vessel/facility: 

The  current  set  of  operations/evolutions  is  maintained  sepa¬ 
rately  from  this  handbook  by  the  Coast  Guard.  The  operations/ 
evolutions  applicable  to  the  unit  (or  class  of  unit)  being  ana¬ 
lyzed  and  of  interest  in  the  analysis  should  be  chosen  from  this 
set. 


Note: 

An  analysis  may  be  focused  on  one  or  more  operations/ 
evolutions  (e.g.,  boarding  and  towing)  while  disregarding 
the  other  operations/evolutions. 

Example  operations/evolntions: 

•  Boarding 

•  Towing 

•  Working  aids  to  navigation 

•  Damage  control 


Note: 

Operations/evolutions  in  this  manual  are  in  bold  type. 


Tip: 

See  Section  9  for  the  current  list  of  Coast  Guard  operations/ 
evolutions. 
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Step  l.C 


Identify  the  functions  applicable  to  the  operations/ 
evolutions  being  analyzed 


Function  —  a  distinct  activity  that  supports  one  or  more  opera¬ 
tions/evolutions 

Exomple  Innetions: 

•  Operating  vessels/craft 

•  Operating  lifting  equipment 

•  Providing  electrical  power 


Note: 

Functions  listed  in  this  manual  are  in  italicized  type. 


Identif/  the  functions  that  are  applicable  to  the  operations/ 
evolutions  and  unit  (or  class  of  unit)  being  analyzed.  The 
current  set  of  functions  is  maintained  separately  from  this 
handbook  by  the  Coast  Guard. 


Example: 


Operation/ 

evolution 

Functions 

Towing 

Operating  vessels/craft 

Operating  deck  equipment 

Note: 

It  is  possible  that  the  analysis  scope  may  not  include  all 
possible  functions  for  a  given  operation/evolution.  For 
example,  an  analysis  may  only  investigate  flammable  liquid 
releases.  Therefore,  the  function  providing  potable  v/ater 
services  would  not  be  included  in  the  analysis.  Or  the  analy¬ 
sis  may  be  for  a  patrol  boat  and  the  function  operating 
aircraft  would  not  be  applicable. 


Identifying  the  operations/evolutions  and  associated  functions 
provides  a  road  map  for  completing  the  coarse  hazard  analy¬ 
sis. 


Tip: 

See  Section  9  for  the  current  list  of  Coast  Guard  functions. 
Included  in  Section  9  is  a  guide  for  understanding  functions. 
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Step  1.D 


Identify  the  locations  of  the  unit  applicable  to  the 
operations/evolutions  and  functions  being  analyzed 


Location  —  a  distinct  area  of  a  unit  where  an  operation/evolu¬ 
tion  is  performed 


Define  locations  as  generally  as  possible.  However,  some  loca¬ 
tions  may  be  very  specific  (e.g.,  forward  sewage  compartment) 
to  effectively  perform  the  coarse  hazard  analysis. 


Example  locations: 

•  Berthing  areas 

•  Medical 

•  Galley 

•  Engine  room 
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Step  1.E 


Associate  functions  with  hazards 


There  are  hazards  associated  with  each  function.  Associating . 
hazards  with  functions  identifies  the  specific  hazards  and  mishaps 
the  analysis  team  should  be  considering  as  a  function  is  ana¬ 
lyzed. 


Example:  operating  lifting  equipment 


Function 

Hazard 

Vessel-Specific  Hazard 

Operating  lifting 
equipment 

Elevated  objects 

Small  boats 

Objects  held  by  cranes/lifls 
(stores,  equipment,  buoys, 
ammunition) 

Equipment  stored  on  shelves 
Unsecured  equipment  (e.g., 
tools)  on  elevated  platforms 

Tension/compression 

Lift  cables/rigging 

Elevated  personnel 

Personnel  on  ladders 

Personnel  on  platforms 

High  pressure 

Hydraulic  systems 

Onboard  equipment 
motion 

Rotating  equipment 

Drive  trains,  beits,  shafts,  gears, 
etc. 

Cranes 
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Coarse  Hazard  Analysis 

Step  1.F  Associate  locotions  with  functions 

There  are  locations  In  the  unit  associated  with  performing  a 
function.  The  analysis  team  needs  an  awareness  of  the  different 
locations  to  ensure  that  all  hazards  and  potential  mishaps  are 
addressed  when  analyzing  a  function.  Also,  different  locations 
will  contribute  different  amounts  of  risk  when  performing  the 
same  function,  and  those  differences  are  important  when 
managing  the  risk  of  the  unit. 


Example:  galley 
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Performing  an  Analysis 


Step  2 


Screen  Low  Risk  Operotions/Evolutions,  Functions, 
Deviations,  and  Locations 


Screening  —  determining  at  a  high  level  that  an  item  is  of  low 
risk  and  will  not  need  to  be  analyzed  in  detail 


Screening  items  allows  the  analysis  team  to  streamline  the 
coarse  hazard  analysis  process  by  identifying  low  risk  items  and 
screening  them  from  the  analysis.  Screening  is  a  systematic 
activity  that  can  be  performed  at  any  stage  of  the  analysis 
process  from  evaluating  operations/evolutions  to  locations. 
Screening  is  based  on  the  following  relationships: 

operations/evolutions  consist  of  functions 
functions  consist  of  deviations 
deviations  occur  in  locations 

where, 

functions  are  subordinate  to  operations/evolutions 
deviations  are  subordinate  to  functions 
locations  are  subordinate  to  deviations 

The  steps  below  outline  the  screening  process.  These  steps  should 
be  used  during  the  various  stages  of  the  analysis. 
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Performin^n&ial^ 


Step  2JR. 


Qualitatively  review  the  subordinate  items  that  are  a 
part  of  the  item  under  review 


sis 


For  example,  review  all  of  the  deviations  and  associated  locations 
that  are  a  part  of  a  function  when  considering  whether  to  screen 
the  function.  This  is  a  high  level  review  of  the  subordinate 
items  that  is  performed  to  familiarize  the  analyst  just  enough 
to  make  a  high  level  estimate  of  mishap  frequency  in  the  next 
step.  This  review  may  not  involve  much  more  than  identifying 
the  subordinate  items.  Detailed  analysis  will  follow  later  in  the 
analysis  sessions. 
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Step  2.B 


Screen  the  item  if  it  is  estimated  to  hove  frequency 
scores  equal  to  or  less  than  the  screening  criteria  with 
at  least  a  Medium  certainty 


After  reviewing  the  subordinate  items,  determine  whether  their 
collective  frequency  scores  are  less  than  or  equal  to  the  screen¬ 
ing  criteria.  Remember  that  this  is  a  high  level  qualitative 
estimate.  Detailed  analysis  will  follow  if  the  item  is  not 
screened. 


Note: 

If  any  of  the  mishap  frequencies  of  the  subordinate  items  are 
estimated  to  be  higher  than  the  screening  criteria,  the  item 
under  review  should  not  be  screened. 


The  screening  criteria  are  defined  by  Coast  Guard  manage¬ 
ment  systems  and  are  the  level  of  risk  (frequency  of  occurrence 
of  a  Class  A/B,  C,  or  D  mishap)  that  the  Coast  Guard  is  not 
willing  to  pursue  for  further  analysis. 


IMPORTANT! 


The  screening  process  should  be  applied  to  all  opera¬ 
tions/evolutions  at  the  beginning  of  the  analysis.  The  set 
of  nonscreened  operations/evolutions  will  be  assessed 
once  all  operations/evolutions  are  assessed.  As  each 
operation/evolution  is  investigated,  the  screening  pro¬ 
cess  should  be  applied  to  function,  deviation,  and  loca¬ 
tion  as  they  are  analyzed. 
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an  Analysis 


steps 


Analyze  Deviations 


Coarse  hazard  analysis  provides  a  systematic  way  to  analyze 
potential  mishaps  by  identifying  deviations  to  the  design  intent  of 
a  function,  their  causes,  their  potential  mishaps,  and  the  safe* 
guards  in  place  to  prevent  the  causes  or  mitigate  the  mishaps. 

The  analysis  also  defines  the  risk  associated  with  the  deviations  as 
well  as  recommendations  to  reduce  the  risk. 


This  section  presents  the  method  for  documenting  the  analysis 
and  explains  the  detailed  steps  for  identifying  and  characterizing 
potential  mishaps  by  evaluating  deviations,  characterizing  devia¬ 
tion  risk,  and  developing  recommendations. 

Tlte  analysis  doenmentation  table 

Typically,  analysis  software  will  be  used  to  collect  the  analysis 
data.  However,  the  coarse  hazard  analysis  can  be  documented 
using  a  table  such  as  the  one  on  the  following  page.  The  table 
arranges  the  information  in  a  logical  format  and  allows  flex¬ 
ibility  in  reporting  when  captured  electronically.  Within  the 
scope  of  the  analysis,  the  table  includes  the  operations/evolu¬ 
tions  applicable  to  the  unit  class  analyzed,  the  functions  appli¬ 
cable  to  each  operation/evolution,  and  the  deviations 
associated  with  each  function.  Each  deviation  is  evaluated 
during  the  analysis,  completing  the  analysis  table. 
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Performing  on  Analysis 


Coarse  Hazard  Analysis  of  WHEC-378 


Operation/evolution:  Towing 


Function:  Operating  vessels/craft 


Mishaps 


Collision  with  a 
fixed  object 

Collision  with 
another  vessel 

Grounding  vessel 


Collision  with 
another  vessel 


1.1  Incorrect  Mechanical  failure 
position/  of  steering  system 
direcbon/  ^^echanical  failure 
*p««^  of  main  diesel 
engine 

Officer  of  the  deck 
chooses/orders 
wrong  vessel 
course 


1.2  Vessel  Tow  line  is  too 
struck  by  short 

another  Mechanical  failure 
vessel 

engine 

Towed  vessel 

maneuvers 

incorrectly 


RIN 

Certainty 

Safeguards 

0.0603 

High 

PQsfbr 
bridge  watch- 
slanders 

Preventive 
maintenance 
on  the 
engines 

0.009 

High 

PQsfor 
bridge  watch- 
standers 

Preventive 
maintenance 
on  the 
engines 

Recommend¬ 

ations 


Consider 

performing 

preventive 


Along  with  the  analysis  table  (or  software  tool),  it  is  good 
practice  to  have  a  means  to  record  notes  or  comments  pertain¬ 
ing  to  the  information  in  the  table. 
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Coarse  Hazard  Analysis 


Performing  an  Analysis 


Step  ZJi  Evaluate  Deviations 

B 


Coarse  Hazard  Analysis  of  WHEC-378 


Operation/evolution:  Towing 


Function:  Operating  vessels/craft 


Freq. 


Causes 

Mishaps 

Mechanical  failure 
of  steering  system 

Mechanicai  failure 
of  main  diesel 
engine 

Officarofthedeck 
chooses/orders 
wrong  vessel 
course 

Collision  with  a 
fixed  ot^ect 

CotUslonwith 
another  vessel 

Grounding  vessel 

RiN 

Certainty 

0.0603 

L 

High 

Rscommsnd- 

stions 


Consider 

pofforming 

preventive 

miintenance 

on  the 

steering 

system 


Deviation  —  an  off-normal  condition  or  situation  that  has  the 
potential  to  result  in  a  mishap 

A  coarse  hazard  analysis  is  performed  by  systematically  evalu¬ 
ating  deviations  listed  in  the  analysis  tables. 


See  Section  9  for  the  current  list  of  deviations  for  each  func¬ 
tion.  Included  in  Section  9  is  a  guide  for  understanding 
deviations. 


Coast  Guard 


Coarse  Hazard  Analysis 


l^rformingnairnjnal^j^ 


IMPORTANT! 


Before  analyzing  deviations,  consider  at  a  high  level 
all  of  the  deviations  that  are  a  part  of  the  function 
being  analyzed.  Determine  whether  the  function  can 
be  screened. 

For  each  deviation,  consider  at  a  high  level  the  loca¬ 
tions  associated  with  the  deviation  to  determine 
whether  the  deviation  can  be  screened. 

Steps  used  to  evaluate  a  deviation 

3.A.1  Identif/  possible  mishaps  of  the  deviations 

3.A.2  Identify  causes  of  the  deviations 

3.A.3  Identify  preventive  and  mitigative  safeguards 
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Performing  an  Analysis 


Step  3  JLl  Identify  possible  mishaps  of  the  deviations 

a 


Coarse  Hazard  Analysis  of  WHEC-378 


Operation/evolution:  Towing 


Function:  Operating  vessels/craft 


Fmq. 


No. 

OtviaBon 

Causss 

1.1 

tncorrect 

pOfitkMi/ 

dtrtction/ 

sptod 

Mechanical  failure 
of  steering  system 
Mechanical  failure 
of  main  diesel 
engine 

Officer  of  the  deck 
chooses/orders 
wrong  vessel 
course 

Mishaps 
Collision  with  a 
fixed  object 

Collision  with 
another  vessel 

Grounding  vessel 


RIN 

Certainty 

Safeguards 

Recommend* 

atkms 

0.0603 

High 

PQsfor 
bridge  watdv 
slanders 

Preventive 
maintenance 
on  the 
engines 

Consider 

performing 

preventive 

maintenance 

on  the 

steering 

system 

Mishap  —  a  potential  result  of  a  deviation 

For  Coast  Guard  purposes,  a  mishap  is  any  result  of  a  devia¬ 
tion  that  can  produce  a  Class  A,  B,  C,  or  D  mishap  of  interest. 
Class  A,  B,  C,  and  D  mishaps  are  defined  as  follows: 


Mishap 

Severity 

Category  Description* 


Class  A  •  The  cost  of  reportable  property  damage  is  $1 ,000,000  or  more 

•  A  vessel  is  missing  or  abandoned,  recovery  is  impossible  or 
impractical,  the  vessel  cannot  be  repaired  economically 

•  An  injury  or  illness  results  in  a  fatality  or  permanent  total 
disability 


•  The  resulting  cost  of  reportable  property  damage  is  $200,000 
or  more,  but  less  than  $1,000,000 

•  Any  injury  and/or  illness  results  in  permanent  partial  disability 

•  Five  or  more  people  are  inpatient  hospitalized 


•  The  cost  of  property  damage  is  $10,000  or  more,  but  less  than 

$200,000 

•  A  nonfatal  injury  or  illness  that  results  in  any  loss  of  time  from 
work  beyond  the  day  or  shift  on  which  it  occurred 


•  The  cost  of  property  damage  is  $1,000  or  more,  but  less  than 

$10,000 

•  A  nonfatai  injury  or  illness  occurs  that  does  not  meet  the 
criteria  of  a  Class  C  mishap 

•  A  person  is  overboard,  an  accidental  firearms  discharge 
occurs,  or  an  electric  shock  occurs  that  does  not  meet  the 
criteria  of  a  higher  classification 


The  mishap  terminology  is  consistent  with  listings  in  the  MISREP  database. 


Class  B 


Class  C 


Class  D 


Coast  Guard  IRA  Manual 


Coarse  Hazard  Analysis 


Performing  an  Analysis 


The  set  of  Coast  Guard  mishaps  of  interest  include: 


Mishaps  of  Interest* 

Capsizing  vessel 

Person  overboard 

Collision  with  another  vessel 

Hazardous  exposure:  contact  injury 

Collision  with  a  fixed  object 

Hazardous  exposure:  toxic/corrosive 

Collision  with  a  floating  object 

materials 

Collision  with  helo 

Hazardous  exposure:  electrical  shock 

Grounding  vessel 

Hazardous  exposure:  cold  environment/ 

Sinking  vessel 

sur^ce/material 

Fouled  screw 

Hazardous  exposure:  hot  environment/ 

Fire/explosion 

surface/material 

Firearm  discharge 

Hazardous  exposure:  asphyxiants 

Equipment  damage/loss 

Hazardous  exposure:  noise 

Loss  of  small  boat 

Hazardous  exposure:  radiation 

Loss  of  helo 

Hazardous  exposure:  biological  materials 

Drowning 

*  The  mishap  terminology  is  consistent  with  listings  in  the  MISREP  database. 
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Performin^anAnoly^ 


Step  3  A.2 


Identify  eouses  of  the  deviations 


Coarse  Hazard  Analysis  of  WHEC-378 

Operation/evolution;  Towing 

Function:  Operating  vessels/craft 

Freq. 

No. 

Ooviation 

Causes 

Mishaps 

i 

I 

1 

RiN 

Certainty 

Safeguards 

Recommend* 

ations 

1.1 

Incorrect 

position/ 

direction/ 

spotd 

Mechanical  failure 
of  steering  system 

Mechanical  failure 
of  mam  diesel 
engine 

Officer  of  the  deck 
choQses/orders 
wrong  vessel 
course 

CoOtsion  with  a 
fixed  object 
CotBsionwHh 
another  vessel 

Grounding  vessel 

3 

4 

3 

0.0603 

High 

PQsfor 
bridge  watch* 
standers 

Preventiva 
maintenance 
on  the 
engines 

Consider 

performing 

preventive 

maintenance 

on  the 

steering 

system 

Cause  —  an  event,  that  if  not  mitigated,  results  in  a  mishap 

Causes  of  deviations  can  be: 

•  Human  error 

•  Equipment  failure 

•  Hardware  system  failure 

•  Administrative  system  failure 

Focus  on  single  event  causes.  Include  multiple  event  causes 
only  in  cases  where  the  frequency  of  the  multiple  events  occur¬ 
ring  is  high. 


Note: 

When  answering  this  question,  only  consider  the  operation/ 
evolution  currently  under  review. 


Remember  that  this  is  a  coarse  hazard  analysis.  Avoid  getting  too 
detailed.  Try  to  focus  at  the  system  level  initially.  However,  if  the 
risk  associated  with  the  deviation  is  high,  more  detail  may  be 
warranted. 
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Coarse  Hazard  Analysis 


Step  3  JL3 


Identify  preventive  and  mitigotive  safeguards 


Coarse  Hazard  Analysis  of  WHEC-378 

Operation/evolution:  Towing 

Function:  Operating  vessels/aaft 

Fraq. 

No. 

Doviation 

Causas 

Mishaps 

i 

1 

1 

RIN 

Certainty 

Safeguards 

Recommend- 

ations 

1.1 

Incorract 

position/ 

diraction/ 

spaad 

Machanica)  failura 
of  stearins  system 

Mechanical  faflura 
of  main  diasat 
angina 

Officer  of  the  deck 
choosas/ordars 
wrong  vassal 
course 

CoOision  with  a 
(bad  object 

Collision  with 
another  vassal 

Grounding  vassal 

3 

4 

3 

0.0603 

High 

PQs  for 
bndge  watch- 
standers 

Preventtve 
maintenance 
on  the 
engines 

Consider 

parfomting 

preventive 

maintenance 

on  the 

steering 

system 

Safeguard  —  engineered  systems  (hardware)  or  administrative 
controls  for  reducing  the  frequency  of  occurrence  or  mitigating 
the  severity  of  deviations 

Answer  this  question  when  identifying  safeguards: 

"While  performing  this  operation/evolution,  what  are  the 
engineered  or  administrative  systems  in  place  to  reduce  the 
frequency  of  the  deviation(s)  or  reduce  the  severity  of  the 
deviation(s)?" 

Answer  this  question  with  respect  to  the  operation/evolution 
being  considered. 

Types  of  safeguards  to  consider: 

•  Hardware  (e.g.,  barriers,  alarms,  interlocks,  redundant 
pumps) 

•  Specific  procedures  and  training  (e.g.,  ammunition  loading 
procedure,  PQS  for  deck  crew) 

■  Specific  administrative  policies  (e.g.,  respirator  program) 

Avoid  becoming  too  optimistic  about  safeguard  reliability/ 
effectiveness.  If  the  dependability  of  a  safeguard  is  in  question, 
the  conservative  approach  is  to  not  take  credit  for  it  (especially 
human  detection/response  and  adherence  to  administrative 
policies). 

Think  about  each  deviation  as  a  mishap  scenario. 

•  Each  cause  is  an  initiating  event. 

•  Safeguards  are  the  engineered  features  or  actions  that  make 
deviations  less  likely  and/or  reduce  the  severity  of  the  mis¬ 
hap. 
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Performing  an  Analysis 


Step  3.B 


Characterize  the  risk  of  deviations 


Risk  —  the  combination  of  the  expected  frequency  (events/year) 
and  consequence  (effects/event)  of  a  single  accident  or  group  of 
accidents. 

For  each  deviation,  the  risk  associated  v/ith  the  deviation's  pos¬ 
sible  outcomes  (mishaps)  must  be  characterized.  This  character¬ 
ization  includes  frequency  and  consequence  estimates,  a  risk 
index  number  derived  from  the  frequency  estimates,  and  determi¬ 
nation  of  the  certainty  of  the  estimate. 


The  risk  associated  with  a  location  will  also  be  determined  in  this 
section. 


Steps  used  to  characterize  risk 

3 .  B.  1  Determ  i  ne  freq  uency  scores 

3.B.2  Calculate  the  risk  index  number 
3.B.3  Characterize  the  certainty  of  the  frequency  estimate 
3.B.4  Evaluate  location  risk 
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Coarse  Hazard  Analysis 


Performing  an  Analysis 


Step  3.B.1 


Determine  the  frequency  of  deviations  resulting  in  Class  A/B, 
C,  and  D  mishaps 


Coarse  Hazard  Analysis  of  WHEC-378 

Operation/evolution:  Towing 

Function:  Operating  vessels/crafl 

No. 

Deviation 

Causes 

Mishaps 

Freq 

Safeguards 

Recommend¬ 

ations 

A/B 

C 

D 

1.1 

Incorrect 

position/ 

direction/ 

speed 

Mechanical  failure 
of  steering  system 

Mechanical  failure 
of  main  diesel 
engine 

Officer  of  the  deck 
chooses/orders 
wrong  vessel 
course 

Colfision  with  a 
fixed  object 

Coltision  with 
another  vessel 

Grounding  vessel 

_ 

4 

3 

0.0603 

High 

PQsfor 
bridge  watch- 

standers 

Preventive 
maintenance 
on  the 
engines 

Consider 

performing 

preventive 

maintenance 

on  the 

steering 

system 

Frequency  —  a  score  indicating  the  expected  number  of  occur¬ 
rences  per  year  of  the  relevant  mishap  class 


Class  A/B  Mishap  —  a  mishap  that  is  categorized  as  Class  A  or 
Class  B.  For  the  purposes  of  risk  calculations.  Class  A/B  mishaps 
are  equivalent  to  a  loss  of  $200,000  or  greater  (average  loss  of 
$300,000) 

Class  C  Mishap  —  a  mishap  that  is  categorized  as  Class  C.  For 
the  purposes  of  risk  calculations.  Class  C  mishaps  are  equivalent 
to  a  loss  of  less  than  $200,000  but  greater  then  $10,000  (aver¬ 
age  loss  of  $30,000) 

Class  D  Mishap  —  a  mishap  that  is  categorized  as  Class  D.  For 
the  purposes  of  risk  calculations.  Class  D  mishaps  are  equivalent 
to  a  loss  of  less  than  $10,000  (average  loss  of  $3,000) 

Using  the  frequency  scoring  categories  in  the  figure  on  the  next 
page,  assess  the  frequency  of  each  deviation  occurring  and 
resulting  in  a  (1)  Class  A/B,  (2)  Class  C,  and  (3)  Class  D  mis> 
hap.  Only  assess  the  deviation  with  respect  to  the  operation/ 
evolution  being  considered.  Rather  than  estimating  the  fre¬ 
quency  of  each  credible  deviation's  causes  occurring  and  each 
associated  safeguard  failing,  make  higher  level,  subjective 
assessments  of  the  overall  frequency  of  each  deviation  occur¬ 
ring  and  resulting  in  mishaps.  Each  frequency  estimate  should 
be  based  on  cumulative  frequencies  of  contributing  events. 
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Tip: 

Use  available  data  to  develop  reasonable  frequency  esti¬ 
mates 

•  MISREPdata 

•  CASREPdata 

•  Subject  matter  expert  judgment 

•  Generic/vendor  data 


IMPORTANT! 


Frequenqr  estimates  must  be  assigned  by  determining 
the  frequency  of  a  mishap  occurring  at  a  unit.  How¬ 
ever,  it  may  be  necessary  to  consider  an  entire  unit 
class  when  determining  the  frequency  of  a  mishap.  If 
this  is  the  case,  the  frequency  score  for  the  unit  class 
must  be  converted  to  a  score  for  a  single  unit.  For  ex¬ 
ample,  determining  the  frequency  of  capsizing  the  ves¬ 
sel  may  be  difficult  to  consider  for  a  single  vessel 
because  of  the  small  experience  base  being  consid¬ 
ered.  Experience  for  the  vessel  class  may  indicate  that 
for  1 0  vessels  In  the  class,  1  vessel  has  capsized  in  1 5 
years  (e.g.,  in  150  years  of  vessel  experience).  Thus, 
the  frequency  of  a  single  vessel  capsizing  is  1/150  or 
once  every  1 50  years. 
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Frequency  Scoring  Categories 


Frequency 
Score  Descriptions 


Continuous 

Will  occur  almost  continuously 
(100  or  more  times  per  year) 


Frequency  Scores 
(with  indicated 
frequency  bounds) 


Very  Frequent 
Will  occur  very  frequently 
(10  to  100  times  per  year) 


Frequent 

Will  occur  frequently 
(1  to  10  times  per  year) 


10/y  wmmd 


6 


Example  Benchmarks  for  Assigning 
Categories  for  a  Single  Vessel 


One  event  each  week 
One  event  each  month 


One  event  each  quarter 


Occasional 
Will  occur  periodically 
(one  time  every  1  to  10  years) 


5 


One  event  per  year 


One  event  over  one  tour  (3  years) 


Probable 

Will  occur  a  few  times  over  a 
50-year  period 

(one  time  every  10  years  to  50% 
chance  over  a  50-year  period) 

Improbable 

Unlikely,  but  reasonably 
expected  to  occur 
(50%  to  5%  chance  over  a 
50-year  period) 

Rare 

Very  unlikely,  but  credible 
(5%  to  0.5%  chance  over  a 
50-year  period) 

4 


1x10-2/y 

3 


2 


Remote 

Extremely  unlikely,  but  not 
physically  impossible 
(0.5%  to  0.005%  chance  over 
_ a  50-year  period) _ 

incredible 

Physically  impossible  or 
virtually  impossible 
(less  than  0.005%  chance  over 
a  50>year  period) _ 


ilxIO^/yi^— 

1 

i1  X  10^/y™*i 

0 


One  event  over  three  tours  (9  years) 


10%  chance  of  an  event  over  one  tour  (3  years) 

10%  chance  of  an  event  over  three  tours  (9 
years) 


1%  chance  of  an  event  over  one  tour  (3  years) 
1%  chance  of  an  event  over  three  tours  (9  years) 


1-in-1000  chance  of  an  event  over  one  tour  (3  years) 

1 -in-1 000  chance  of  an  event  over  three  tours  (9  years) 


-1 -in-1 0,000  chance  of  an  event  over 
three  tours  (9  years) 

-•1 -in-1 00,000  chance  of  an  event  over 
three  tours  (9  years) 
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Step  3.B.2 


Coleulate  the  risk  index  number  (BIN) 


Coarse  Hazard  Analysis  of  WHEC-378 


Operation/evoiution:  Towing 


Function:  Operating  vessels/crafl 


No. 


1.1 


Devittion 


Incorrect 

position/ 

direction/ 

speed 


Ceuses 


Mechanical  failure 
of  steering  system 

Mechanical  failure 
of  main  diesel 
engine 

Officer  of  the  deck 
chooses/orders 
|wrong  vessel 
course 


Mishaps 


Cotlisionwitha 
fixed  o^ct 

CoUision  with 
another  veuel 
Grounding  vessel 


Freq. 


[Certainty 


High 


Safeguards 


PQsfor 

bridge  watch- 

slanders 

Preventive 

maintenance 

on  the 

engines 


Recommend- 


Consider 


preventive 
maintenance 
on  the 
steering 
system 


Risk  Index  Number  —  a  relative  measure  of  the  overall  risk 
associated  with  a  deviation 


Calculate  the  RIN  for  each  deviation  by  using  the  following 
equation: 


RIN  =  (0.3  •  +  0.03  •  lot'**’  +  0.003  *  10«^®>  )/1 0,000 

Where: 

FsA/B  =  the  frequency  score  for  Class  A/B  mishaps 
FsC  =  the  frequency  score  for  Class  C  mishaps 
FsD  =  the  frequency  score  for  Class  D  mishaps 

This  equation  is  derived  assuming  an  average  Class  A/B  mishap 
is  equivalent  to  $300,000,  an  average  Class  C  mishap  is 
equivalent  to  $30,000,  and  an  average  Class  D  mishap  is 
equivalent  to  $3,000.  The  following  page  contains  the  com¬ 
plete  derivation. 
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Derivation  of  the  BIN  equation 


Frequency  and  Consequence  Table 

Freq.  Score 

Freq. 

Cat. 

Cons.  Score 

Cons. 

8 

100 

A/B 

3 

300K 

7 

10 

C 

2 

30K 

6 

• 

1 

• 

D 

1 

3K 

• 

• 

• 

• 

Risk  (R)  =  Frequency  (F)  *  Consequence  (C) 

p  _  I +  f*) 

Where: 

Fs  =  Frequency  Score 

(Coarse  Hazard  Analysis) 

Fc  =  Frequency  Correction 
Factor 

C  = 

Where: 

Cs=  Consequence  Score 
(for  Class  A/B,  C,  or  D 
mishaps) 

Cc=  Consequence  Correction 
Factor 

R  =  1  *  10'^  + 

R  =  1  ‘  ^  ®> 

R  =  1 0''^  *  ^  ®> 


Cc  Derivation 

Consequence  = 

300K  =  10<3*cc) 
Log^g  300K  =  3+Cc 

Cc  =  2.477-2.5 


Fc  Derivation 

Frequency  = 

100  =  10(®*'''=> 
Log^o  100  =  8+Fc 
Fc  =  ^ 


2R  =  R^  +  Rj.  +  Rjj  (total  risk  for  a  deviation) 

2R  =  1 ®  +  1 ®  +  1 

2R  = 

2R  =  0.3  •  10i'^>  +  0.03  *  10<^=>  +  0.003  *  10<^‘°> 

RIN  =  (0.3  •  +  0.03  *  +  0.003  *  10<®*'»  )/1 0,000 
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Performin^i^bialysis 


Step  3.B.3 


Characterize  the  certainty  of  the  frequency  estimote 


Coarse  Hazard  Analysis  of  WHEC-378 


Operation/evolution;  Towing 


Function:  Operating  vessels/craft 


No. 


1.1 


Deviation 


Incorrect 

position/ 

direction/ 


Causes 


Mechanical  failure 
of  steering  system 

Mechanical  failure 
of  main  diesei 


Officer  of  the  deck 
choosea/orders 
wrong  vessel 
course 


Mishaps  Ia/B 


Collision  with  a 
fixed  object 

CoiSsionwith 
another  vessel 

Grounding  vessel 


Freq. 


RIN 


Safeguards 


0.0603 


Recommend- 

ations 

Consider 

performing 

preventive 

maintenance 

on  the 

steering 

system 


Certainty  —  the  confidence  in  the  frequency  assessments  of  Class 
A/B,  Class  C,  and  Class  D  mishaps  occurring 

Characterize  the  confidence  in  the  assessment  of  the  frequency 
scores  for  each  deviation.  This  subjective  rating  helps  to  qualify 
the  risk  estimates.  For  example,  a  medium  risk  deviation  with  a 
High  certainty  may  deserve  the  same  or  more  attention  than  a 
high  risk  deviation  with  a  Low  certainty. 

Certainty  categories: 

High  —  very  confident  in  assigned  frequency  categories;  typi¬ 
cally  used  when  (1)  there  is  a  strong  understanding  of  mishap 
mechanisms  and/or  (2)  there  have  been  a  significant  number 
of  previous  occurrences,  or  there  is  a  large  relevant  population 
with  few  or  no  occurrences 

Medium  —  comfortable  with  assigned  frequency  categories; 
typically  used  when  (1)  there  is  a  moderate  understanding  of 
mishap  mechanisms  and/or  (2)  there  have  been  only  a  few  (or 
no)  previous  occurrences,  or  there  is  at  least  modest  relevant 
population  with  few  (or  no)  previous  occurrences 

Low  —  little  confidence  in  assigned  frequency  categories; 
typically  used  when  (1)  there  is  no  strong  understanding  of 
mishap  mechanisms  and/or  (2)  there  have  been  few  (or  no) 
previous  occurrences  and  relevant  populations  are  small 
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Coarse  Hazard  Analysis 


Performing  an  Analysis 


Step  B.4 


Evaluate  location  risk 


Operation/Evolution: 

Damage  control  fire 

Function: 

Providing  fire  services 

Deviation: 

Physical  hazards  exposure 

Location 

Contribution  to  Deviation  Risk 

Machinery  spaces 

H 

Engine  room 

M 

Deck 

N 

Berthing 

L 

For  each  location  associated  with  the  deviation  (typically, 
locations  are  associated  with  functions  and,  therefore,  all 
deviations  within  the  function  are  associated  with  the  location), 
determine  the  contribution  the  location  makes  to  the  deviation 
risk.  Contribution  is  defined  in  the  following  table. 


Note: 

If  the  locations  are  screened,  meaning  that  no  judgment  was 
made  as  to  the  contribution  the  location  makes  to  the  risk 
associated  with  the  deviation,  all  of  the  locations  will  default 
to  moderate  (M). 


Contribution 

Description 

H 

High  contributor  to  the  deviation  risk;  most  all  of  the 
deviation  risk  is  due  to  this  location 

M 

Moderate  contributor  to  the  deviation  risk;  a  moderate 
(significant)  portion  of  the  deviation  is  due  to  this 
location 

L 

Low  contributor  to  the  deviation  risk;  a  minimal  portion 
of  the  deviation  risk  is  due  to  this  location 

i 

N 

No  or  little  significant  contribution  to  the  deviation  risk; 
little  or  no  portion  of  the  deviation  risk  is  due  to  this 
location 

IMPORTANT! 


It  is  very  important  to  consider  both  the  frequency  of 
the  deviation  occurring  as  well  as  the  consequence  of 
the  associated  mishaps  due  to  the  location. 

For  example: 

As  shown  in  the  table  at  the  top  of  this  page,  when  the  devia¬ 
tion  "physical  hazards  exposure"  occurs,  it  is  expected  that 
activities  or  equipment  in  the  machinery  spaces  will  most  likely 
cause  the  deviation,  and  the  consequences  will  be  the  same  as 
if  the  deviation  were  caused  by  events  in  another  location.  The 
machinery  spaces  make  a  high  contribution  to  the  deviation 
risk. 
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Coarse  Hazard  Analysis 


Performing  an  Analysis 


Step  3*C 


Develop  recommendations 


Coarse  Hazard  Analysis  of  WHEC-378 

Operation/evolution:  Towing 

■■1 

Function:  Operating  vessels/craft 

Freq. 

No. 

Deviation 

Causes 

Mishaps 

1 

1 

1 

RIN 

Certainly 

Safeguards 

Recommend¬ 

ations 

1.1 

Inconect 

position/ 

direction/ 

speed 

Mechanical  failure 
of  steering  system 
Mechanical  failure 
of  main  diesel 
engine 

Officer  of  the  deck 
chooses/orders 
wrong  vessel 
course 

Coltision  with  a 
fixed  object 

CotHsion  with 
another  vessel 

Grounding  vessel 

3 

4 

3 

0.0603 

High 

PQstor 
bridge  watch- 

slanders 

Preventive 
maintenance 
on  the 
engines 

Consider 

performing 

preventive 

maintenance 

on  the 

steering 

system 

Recommendations  —  suggestions  and  action  items  for  (1) 
reducing  the  risk  associated  with  a  deviation  and/or  (2)  providing 
more  extensive  evaluation  of  specific  issues 


Risk  reduction  recommendations  and  recommendations  sug¬ 
gesting  more  in-depth  review  are  necessary  for  high  risk  devia 
tions  or  deviations  with  low  levels  of  certainty. 


Steps  used  to  develop  recommendations 

3.C.1  Identify  risk  reduction  recommendations 
3.C.2  Identify  recommendations  for  further  evaluation 
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Coarse  Hazard  Analysis 


Performing  an  Analysis 


StepS.C.l 


Identify  risk  reduction  recommendations 


Risk  reduction  recommendations  should  accomplish  one  or  more 
of  the  following: 

•  Eliminate/mitigate  hazards 

•  Prevent  deviations 

•  Ensure  that  existing  safeguards  are  dependable 

•  Provide  additional  safeguards 

•  Prevent/mitigate  mishaps 

•  Prevent/mitigate  the  effects  of  mishaps 


Note: 

Be  certain  that  risk  reduction  recommendations: 

•  Do  not  unknowingly  increase  other  risks 

•  Are  practical 

•  Effectively  focus  on  pertinent  risk  issues 


Example: 

*  Consider  providing  fixed  fire  protection  for  the  vessel's 
engine  room  and  auxiliary  room 

•  Consider  providing  machine  guards  for  the  cable/spool 
pinch-points  on  the  cross-deck  winches 
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Coarse  Hazard  Analysis 


^erformin^onAnoh^^ 


Step  3.C.2 


Identiiy  recommendations  for  farther  evaluation 


Some  deviations  or  issues  may  require  a  more  detailed  analysis. 
Such  situations  include: 

•  High  risk  deviations/issues  v/here  more  resolution  is  needed 
to  develop  risk  reduction  measures 

•  Potentially  significant  deviations/issues  with  a  low  level  of 
certainty  in  the  risk  assessment  or  the  information  gathered 
about  the  mishap  scenario 

Examples: 

Situation  1  —  Consider  performing  more  detailed  hazard 
evaluation  of  the  equipment/procedures  used  for  lifting 
objects  (e.g.,  piles,  buoys,  wreckage)  to  ensure  that  exist¬ 
ing  procedures  and  equipment  configurations/preventive 
maintenance  (1)  provide  adequate  protection  against 
dropping  loads  and  (2)  are  consistent  with  good  engineer¬ 
ing  practices 

Situation  2  —  Consider  performing  a  more  detailed  analysis 
of  the  electrical  systems  aboard  the  vessel  to  specifically 
identify  and  evaluate  (1)  the  potential  for  electrical  fires  and 
(2)  the  potential  for  electrical  shocks  of  crew  members 
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Coarse  Hazard  Analysis 


Step  4 


Generate  a  Risk  Profile 


To  effectively  manage  risk.  Coast  Guard  decision  makers  must 
analyze  the  risk  associated  with  a  unit  class  from  several  per¬ 
spectives.  The  coarse  hazard  analysis  provides  risk  information 
for  each  deviation  within  a  function  within  an  operation/ 
evolution.  Risk  associated  with  each  deviation  is  the  basic 
information  required  to  analyze  overall  unit  class  risk. 
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Coarse  Hazard  JUialysis 


Performin^onAnol^si^ 


Step  4  Jl 


Determine  the  risk  contribution  of  deviations 


Determining  the  risk  contribution  importance  (risk  contribution) 
of  deviations  provides  a  means  to  focus  resources  as  narrowly 
as  possible  on  deviations  that  are  estimated  to  be  the  domi¬ 
nant  risk  contributors  for  a  unit  class. 


Deviations  Ranked  by  Risk  Contribution 

Operation/Evolution 

Function 

Deviation 

Risk  Contribution 

Boarding 

Providing  assessment/investigation/coordination 
services 

Physical  hazards  exposure 

0.05 

Towing 

Operating  vessels/craft 

Incorrect  position/direction/speed 

0.009 

Towing 

Operating  deck  equipment 

Hot/cold  environment  exposure 

0.009 

Small  boat  launch/recovery  from  vessel 

Operating  lifting  equipment 

Loss  of  support 

0.007 
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Performing  an  Analysis 


Use  the  following  equation  to  determine  risk  contribution: 


Risk  contribution  =  RIN  (of  the  deviatlon)/Total  unit  risk  (2RIN) 

Example: 


Total  vessel  risk  (2RIN) 
RIN  for  "physical  hazards  exposure" 
Risk  contribution  of  "physical  hazards  exposure" 


633 

33.3 

33.3/633 

0.053 
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^eriorming^anAiiahgis 


□ 


Step  4.B 


Determine  the  risk  contribution  of  functions 


Although  most  risk  management  resources  are  targeted  as 
narrowly  as  possible  toward  the  highest  individual  risk  con¬ 
tributors,  some  risk  management  decisions  (especially  training 
and  research  decisions)  are  frequently  based  on  broader  char¬ 
acterizations  of  risks  such  as  risk  associated  with  a  unit  func¬ 
tion  (e.g.,  operating  vessels/ craft,  providing  electrical  power 
services). 
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Risk  contribution  histogram  ior  functions 


Risk  Contribution 

Steps  nsed  to  determine  the  risk  contribution  of  innctions 

4.B.1  Sum  the  RINs  of  deviations  within  a  function  across  all 
operations/evolutions 

4.B.2  Determine  the  risk  contribution 


■iJSA 

•#**Tr* 
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Coarse  Hazard  Analysis 


Step  4.B.1 


Sum  the  RlNs  of  deviations  within  a  function  ocross  oil 
operations/evolutions 


Function 


Operation/Evolution 

Deviation 

RIN 

Small  boat  launch/recovery 

Loss  of  support 

KB 

Physical  hazards  exposure 

60 

Hot/cold  environment  exposure 

0.06 

Anchored/moored/stored 

Physical  hazards  exposure 

30.003 

Loss  of  support 

— 

Not  operation/evoiution  specific 

Physical  hazards  exposure 

3.3 

2RiN  for  operating  lifting  equipment 

94.863 

Towing 

Vessel  struck  by  another  vessel 

0.006 

incorrect  position/direction/ 
speed 

0.0603 

Physical  hazards  exposure 

0.063 

Vessel  leaving  or  returning 

Incorrect  position/direction/ 
speed 

0.33 

ZRIN  for  operating  vessels/craft 

0.4593 

As  shown  above,  include  the  deviations  of  the  function  for  each 
operation/evoiution  under  review. 
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Coarse  Hazard  Analysis  Performing  an  Analysis 

Step  4.B.2  Determine  the  risk  contribution 

Divide  the  total  risk  for  the  function  calculated  in  the  first  step 
by  the  total  risk  for  the  unit  (SRIN) 


Example: 

Total  vessel  risk  (2RIN)  =  633 
RIN  for  operating 
lifting  equipment  =  94.863 


Risk  contribution  of  operating 
lifting  equipment 


94.863/633 

0.15 
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Performing  an  Analysis 


Step  4.C  Determine  the  risk  contribution  of  operations/evolutions 

Although  most  risk  management  resources  are  targeted  as 
narrowly  as  possible  toward  the  highest  individual  risk  con¬ 
tributors,  some  risk  management  decisions  (especially  training 
and  research  decisions)  are  frequently  based  on  broader  char¬ 
acterizations  of  risks  according  to  the  type  of  operation/ 
evolution  (e.g.,  towing,  boarding). 
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Performing  an  Analysis 


Risk  eontribntioii  histogram  for  operations/evolnlions 


Risk  Contribution 


Steps  to  determine  the  risk  contribntion  of  operations/evolntions 

4.C.1  Sum  the  RINs  of  deviations  v/ithin  an  operation/evolu* 
tion 

4.C.2  Determine  the  risk  contribution 
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Performing  an  Analysis 


Step  4.C.1  Sum  the  RDTs  of  deviations  vnthin  eoch  operation/evolntion 

Include  all  deviations  within  the  functions  applicable  to  the 
operation/evolution. 


Operation/Evolution 

Function 

Deviation 

RIN 

Helicopter  operations 

Operating  vessels/craft 

incorrect  position/direction/speed 

3.6 

Vessels/craft  unavailable 

0.3003 

Physical  hazards  exposure 

0.63 

Providing  fueiing 
services 

Fire/expiosion 

3.003 

Operating  aircraft 

Physical  hazards  exposure 

0.63 

High  noise  exposure 

0.06 

ZRIN  for  helicopter  operations 

8.223 

Towing 

Operating  vesseis/craft 

Vessels/craft  unavailable 

0.006 

incorrect  position/directlon/speed 

0.0603 

Physical  hazards  exposure 

0.063 

Operating  deck 
equipment 

Physical  hazards  exposure 

3.003 

Hot/cold  environment  exposure 

0.006 

£RIN  for  towing 

3.138 
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Performing  an  Anal 


Step  4.C.2 


Determine  the  risk  contribution 

Divide  the  total  risk  for  the  operation/evolution  by  the  total  risk 
for  the  unit  (ZRIN) 

Example: 

Total  vessel  risk  (ZRIN)  =  633 
RIN  for  helicopter  operations  =  8.223 

Risk  contribution  of 
helicopter  operations  =  8.223/633 

=  0.013 
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^erformingonAnalysis 


Step  4.D 


1,  Determine  the 
scope  of  the 
coarse  hazard 
analysis 


2.  Scre^  tow  risk 
ops/evs. 
functions, 
deviations,  and 
locations 


3.  Analyze 
deviations 


A.  Determine  the 
risk  contribution  of 
deviations 


B.  Determine  the 
risk  contribution  of 
functions 


I 


C.  Determine  the 
risk  contribution  of 
operations/ 
evolutions 


j 


4.  Generate  a 
risk  profile 


5.  Evaluate  the 
benefit  of  risk 
reduction 

recommendations  I 


D,  Determine  the 
risk  contribution 
of  locations 


D.1  Identify  ail 
deviations  associated 
with  a  location 


I 


E.  Generate  a  risk 
matrix 


D.2  Multiply  the 
risk  contribution  of  each 
deviation  by  the 
kxation's  contribution  to 
deviation  risk 


I 


F.  Determine  the 
unit  dass 

frequency  range  of 
mishaps 


D.3  Sum  the  fraction 
of  risk  contribution  from 
each  deviation 


'G.  Compare  frequency  > 
estimates  with  historical 
experience 


Determine  the  risk  contribution  of  locations 


Determining  the  risk  contribution  of  locations  provides  a  means 
for  the  Coast  Guard  to  understand  the  contribution  of  each 
unit  location  to  overall  unit  risk.  A  prioritized  list  of  locations 
will  help  Coast  Guard  decision  makers  determine  the  locations 
of  the  unit  on  which  to  focus  risk  reduction  efforts. 
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Performing  an  Analysis 


Histogram  for  location  risk  contribution 


Risk  Contribution 

Steps  nsed  to  determine  risk  contribution  of  locations 

4.D.1  Identify  all  deviations  associated  v/ith  a  location 
4.D.2  Multiply  the  risk  contribution  of  each  deviation  by  the 
location's  contribution  to  deviation  risk 
4.D.3  Sum  the  fraction  of  risk  contribution  from  each  deviation 


5-52 


Coast  Guard  IRA  Manual 


Coarse  Hazard  Analysis 


Performing  an  Analysis 


Step  4.D.1  Identify  all  deviations  associoted  with  the  locotion,  the 

contribution  of  the  location  to  each  deviation  risk,  and  the 
risk  contribution  of  the  deidotions 


Location 

Deviations 

Contribution 
of  Location 

Deviation 

Risk 

Contribution 

Machinery 

spaces 

Not  operation/evolution  specific 

Operating  hand-operated  moving 
equipment 

Physical  hazards  exposure 

H 

0.0025 

Not  operation/evolution  specific 

Providing/maintaining  structures 

Physical  hazards  exposure 

H 

0.0105 

Not  operation/evolution  specific 

Providing/maintaining  structures 
Toxic/corrosive/reactive  materials 
exposure 

H 

0.233 

Not  operation/evolution  specific 

Operating  lifting  equipment 

Physical  hazards  exposure 

L 

0.003 

Not  operation/evolution  specific 
Operating  lifting  equipment 

Loss  of  support 

M 

0.0045 

Location 
Contribution 
by  Deviation 


Risk  contribution  of  machinery  spaces 
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Performing  an  Analysis 


Step  4.D.3 


□ 


Sum  the  froetion  of  risk  contribution  from  each  deination 


Location 


Deviations 


Machinery  operation/evolution  specific 
spaces  Operating  hand-operated  moving 
equipment 

Physical  hazards  exposure _ 

Not  operation/evolution  specific 
Providing/maintaining  structures 
Physical  hazards  exposure 

Not  operation/evolution  specific 
Providing/maintaining  structures 
Toxic/corrosive/reactive  materials 
exposure _ 

Not  operation/evolution  specific 
Operating  lifting  equipment 
Physical  hazards  exposure 

Not  operation/evolution  specific 
Operating  lifting  equipment 
Loss  of  support 


Risk  contribution  of  machinery  spaces 


Deviation 

Risk 

Contribution 

Location 
Contribution 
by  Deviation 

0.0025 

0.025 

0.0105 

0.105 

0.233 

2.33 

0.003 

0.0003 

0.0045 

0.0045 

1 
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Slep4.E 


Generate  a  risk  matrix 


Risk  matrix  —  a  matrix  depicting  the  risk  profile  of  a  class  of 
unit.  Each  cell  in  the  matrix  indicates  the  number  of  deviations 
having  that  frequency  and  consequence 


MB 

C 

D 

Continuous  (8) 

0 

0 

0 

Very  frequent  (7) 

0 

2 

2 

Frequent  (6) 

0 

5 

5 

Occasional  (5) 

1 

9 

9 

Probable  (4) 

2 

15 

22 

Improbable  (3) 

6 

14 

14 

Rare  (2) 

11 

17 

10 

Remote  (1) 

36 

20 

3 

Incredible  (0) 

9 

4 

0 

Number  of  Mishaps 
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The  risk  matrix  illustrates  the  distribution  of  deviations  accord¬ 
ing  to  their  frequency  of  producing  Class  A/B,  Class  C,  and 
Class  D  mishaps.  The  matrix  is  a  valuable  risk  communication 
tool  and  helps  decision  makers  understand  how  many  devia¬ 
tions  fall  into  the  various  categories. 


Note: 

The  risk  matrix  represents  a  typical  unit  in  a  unit  class.  For  a 
matrix  that  depicts  the  total  number  of  mishaps  in  each 
frequency  category  for  the  entire  class,  each  cell  of  the  risk 
matrix  should  be  multiplied  by  the  number  of  units  in  the 
unit  class. 


To  develop  a  risk  matrix  from  the  coarse  hazard  analysis, 
total  the  number  of  deviations  potentially  resulting  in  a 
Class  A/B,  Class  C,  and  Class  D  mishap  for  each  frequency 
-category. 


Deviation 

Frequency  Scores 

A/B 

c 

D 

Deviation  1 

5 

4 

7 

Deviation  2 

2 

4 

7 

Deviation  3 

0 

3 

4 

Deviation  4 

1 

2 

6 

Example 

There  are  two  deviations  with  a  Class  C  risk  score  of  4. 


Continuous  (8) 

0 

0 

0 

Very  frequent  (7) 

0 

0 

2 

Frequent  (6) 

0 

0 

1 

Occasionai  (5) 

1 

0 

0 

Probable  (4) 

0 

2 

1 

improbable  (3) 

0 

1 

0 

Rare  (2) 

1 

1 

0 

Remote  (1) 

1 

0 

0 

Incredible  (0) 

1 

0 

0 

Class  A/B 
Mishap 

Class  C 
Mishap 

Class  D 
Mishap 
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Performing  an  Analysis 


1.  Determine  the 
scope  of  the 
coarse  hazard 
analysis 


1 2.  Screen  low  risk  I 
ops/evs, 
functions, 
deviations,  and 
locations 


3.  Analyze 
deviations 


I 


A.  Determine  the 
risk  contribution  of 
deviations 


B.  Determine  the 
risk  contribution  of 
functions 


C.  Determine  the 
risk  contribution  of 
operations/ 
evolutions 


D.  Determine  the 
risk  contribution  of 
locations 


4.  Generate  a 
risk  profile 

n 

_ 

5.  Evaluate  the 
benefit  of  risk 
reduction 
recommendations 

E.  Generate  a  risk 
matrix 


I 


F.  Determine  the 
unit  class 
frequency  range 
of  mishaps 


F.1  Calculate  the 
lower  frequency  bounds  of 
each  frequency  category  for ) 
each  mishap  class 


F.2  Calculate  the 
upper  frequency  bounds  of  ^ 
each  frequency  category  for ) 
each  mishap  class 


I 


^G.  Compare  frequency^ 
estimates  with  historical 
experience 


F.3  Sum  all  tower 
[  frequency  bounds  and  upper  | 
frequency  bounds 


Step4.F 


Determine  the  unit  class  frequency  range  of  mishaps 


Frequency  range  —  a  lower  and  upper  limit  representing  the 
estimated  frequency  of  occurrence  of  a  class  of  mishap 


The  frequency  of  a  Class  A/B,  Class  C,  and  Class  D  mishap  for 
a  unit  class  (i.e.,  cumulative  effect  of  all  of  the  individual 
deviations)  is  determined  by  using  the  frequency  bounds  for  the 
frequency  categories  shown  in  the  risk  matrix.  The  frequency 
bounds  are  defined  in  Step  3.B. 
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The  frequency  ranges  for  Class  A/B,  Class  C,  and  Class  D 
mishaps  are  useful  in  understanding  the  overall  risk  associated 
with  a  unit  class.  They  also  provide  a  means  to  validate  the 
frequency  estimates  in  the  coarse  hazard  analysis  by  compar¬ 
ing  the  estimates  with  historical  mishap  data  described  in  the 
next  section. 

Overall  frequency  bonnds  for  Class  RfB,  C,  and  D  mishaps 


Estimated  Estimated  Estimated 

Frequenqf  Range  Frequency  Range  Frequency  Range 
for  Class  A/B  for  Class  C  for  Class  D 
Mishaps  Mishaps  Mishaps 

(per  year)  (per  year)  (per  year) 


Frequency 
Bounds 
(per  year) 

Frequency  — i 
Category  Lower  Upper 


Continuous  (8)  I  100 


Very  Frequent  I 
(7) 


Frequent  (6)  I  1 


Incredible  (0) 


Lower  |  Upper  |  Lower  |  Upper  |  Lower  |  Upper 


20  200 


Occasional  (5)  I  0.1 


Probable  (4)  I  0.01 


Improbable  (3)  I  0.001  0.01 


Rare  (2)  0.0001  0.001 


Remote  (1) 


0.14  1.4  i  0.22  2.2 


0.006  0.06  I  0.009  0.09  0.014  0.14 


0.0011  0.011  I  0.0015  0.015  0.001  0.01 


Frequency  Range 


0.1271  1.2746  1.3505  13.507  26.135  261.35 


Steps  to  determine  the  unit  class  fregnency  range  of  mishaps 

4.F.1  Calculate  the  lower  frequency  bounds  of  each  frequency 
category  for  each  mishap  class 

4.F.2  Calculate  the  upper  frequency  bounds  of  each  frequency 
category  for  each  mishap  class 

4.F.3  Sum  all  lower  frequency  bounds  and  upper  frequency 
bounds 


Coast  Guard  IRA  Manual 


5-59 


Coarse  Hozard  Analysis 


Performing  an  Analysis 


Step  4.F.1  Coleulate  the  lower  bounds  of  the  estimated  frequency  range 
for  Class  A/B  mishaps  by  multiplying  the  lower  frequency 
bounds  times  the  number  of  deviations  with  Closs  A/B 
mishops  in  eoch  frequency  cotegory 
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Step  4.E2  Coleulate  the  upper  bounds  of  the  estimated  frequency  range 
for  Class  A/B  mishaps  by  mnltipl^ng  the  upper  frequency 
bounds  times  the  number  of  deviations  with  Class  A/B 
mishaps  in  each  frequency  category 


Frequency 

Bounds 


1  (per  year) 

1  Risk  Matrix  | 

Frequency 

Category 

Lower 

upper 

QHB 

Continuous  (8) 

100 

No  limit 
(100) 

DDD 

Very  Frequent 
(7) 

10 

100 

DDD 

Frequent  (6) 

1 

10 

DDQ 

Occasional  (S) 

0.1 

1 

DHD 

Probable  (4) 

0.01 

0.1 

Improbable  (3) 

0.001 

0.01 

□DD 

Rare  (2) 

0.0001 

0.001 

Remote  (1) 

0 

0.0001 

Incredible  (0) 

D 

D 

ODD 

Estimated 
Frequency  Range 
for  Class  A/B 
Mishaps 
(per  year) 


Frequency  Range 


Note: 

The  upper  frequency  bounds  for  the  frequency  category 
"Continuous  (8)"  is  "No  Limit."  For  this  calculation,  use  100 
as  the  limit. 
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Step  4.E3  Total  the  lower  ond  upper  bounds  columns  for  the  overall 

frequency  bounds  of  Class  A/B  mishaps  (repeat  steps  for  all 
classes  of  mishaps) 


Frequency 

Category 


Continuous  (8) 


Very  Frequent 
(7) 


Frequent  (6) 


Occasional  (5)  0.1 


Probable  (4)  0.01 


Improbable  (3)  0.001 


Rare  (2) 


Remote  (1) 


Incredible  (0) 


Frequency 
Bounds 
(per  year) 


Lower  Upper 


No  limit 


Risk  Matrix 


Estimated  Estimated  Estimated 

Frequency  Range  Frequency  Range  Frequency  Range 
for  Class  A/B  for  Class  C  for  Class  D 
Mishaps  Mishaps  Mishaps 

(per  year)  (per  year)  (per  year) 


Frequency  Range 


The  data  from  the  analysts  can  be  summarized  in  the  table 
below. 


Unit  Class*  Frequency 
Range  for  Mishaps 
(per  year) 


Unit  Class 

Typical  Unit  Frequency 
Range  for  Mishaps 
(per  year) 

Typical  Unit  Expected 
Number  of  Occurrences 
over  50  Years 

A/B 

C 

B 

A/B 

B 

Bl 

Unit  Class  1 

0.13  to 
1.3 

1.4  to 
14 

26  to 
261 

7t0  65 

70  to 
700 

1300  or 
more 

14  to  261  to 
140  2610 


*Ten  vessels  in  the  example  dass. 


Expected  number  of  occurrences  over  50  years  is  deter¬ 
mined  by  multiplying  the  frequency  range  for  mishaps  (per 
year)  by  50.  This  information  is  useful  in  understanding  the 
expected  number  of  mishaps  over  the  life  of  a  unit  class.  This 
can  be  calculated  for  any  length  of  time  of  interest. 

Unit  class  frequency  range  for  mishaps  is  determined  by 
multiplying  the  typical  unit  frequency  range  by  the  number  of 
units  in  the  unit  class.  This  information  can  be  used  to  compare 
the  level  of  risk  associated  with  different  unit  classes. 
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1.  Determine  the  | 
scope  of  the 
coarse  hazard 
analysis 


2.  Screen  low  risk 
ops/evs. 
functions, 
deviations,  and 
locations 


A.  Determine  the 
risK  contribution  of 
deviations 


B.  Determine  the 
risk  contribution  of 
functions 


3.  Analyze 
deviations 


4,  Generate  a 
risk  profile 


C.  Determine  the 
risk  contribution  of 
operations/ 
evolutions 


D.  Determine  the 
risk  contribution  of 
locations 


I 


5.  Evaluate  the 
benefit  of  risk 
reduction 

I  recommendations 


E  Generate  a  risk 


F.  Determine  the 
unitdass 

frequency  range  of 
mishaps 


■ 

■ 

r 

G.  Compare 

^  1 

frequency  estimates 
with  historical 

experience 

i 

G.1  Calculate  the 
experienced  mishap 
frequency  from  historical 
databases 


G.2  Compare  the 
historical  mishap 
^frequency  with  the  estimated^ 
mishap  frequency 


Step  4.G 


Compare  frequency  estimates  with  historical  experience 


Analyzing  historical  data  provides  a  means  to  validate  the 
coarse  hazard  analysis  study. 


Unit  Class 

Unit  Class  Estimated  Frequency 

Range  for  Mishaps  (per  year) 

Unit  Class  Mishap  Frequencies 

Based  on  Coast  Guard  (MiSREP  and 
CASREP)  Data  (per  year) 

Am 

C 

D 

Am 

C 

D 

Unit  Class  1 

0.13  to  1.3 

1.4  to 

14 

26  to  261 

0.1 

5 

109 

Historical  data  that  are  slightly  higher  than  the  estimated 
frequencies  from  the  coarse  hazard  analysis  may  reflect: 

•  A  lack  of  relevant  experience  among  coarse  hazard  analysis 
team  members  vrith  deviations  that  occur  infrequently  {e.g., 
potential  omissions  in  the  list  of  deviations  or  in  the  list  of 
causes) 

•  Implementation  of  corrective  actions  to  prevent  repeated 
mishaps,  reducing  the  frequency  of  future  events 
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■  A  limited  number  of  functions  may  hove  been  reviewed 
during  the  coarse  hazard  analysis 

Historical  data  that  are  slightly  lower  than  the  estimated  fre¬ 
quencies  from  the  coarse  hazard  analysis  may  reflect: 

•  Potential  overlap  in  issues  covered  by  the  identified  deviations 

•  Overemphasis  by  the  coarse  hazard  analysis  team  on  certain 
events  that  occurred  in  recent  years 

Steps  to  compare  frequency  estimates  with  historical  experience 

4.G.1  Calculate  the  experienced  mishap  frequency  from 
historical  databases 

4.G.2  Compare  the  historical  mishap  frequency  with  the 
estimated  mishap  frequency 


5-64 


Coast  Gnord  IRA  Manuol 


Coar»BHazardAnalpis^^^__^i^____^^^^^^Perfomin^^ 

Step  4.G.  1  Calculate  the  experienced  mishap  frequency  for  Class  A/B, 
Class  C,  and  Class  D  mishaps  from  historical  databases 

I . ""'I  Frequency  for  a  mishap  class  =  (Number  of  events  In  the  severity 

1  ■  .  .1  class)/(Time  Period) 


Note: 

Be  certain  that  the  complete  set  of  historical  data  is  ac¬ 
counted  for  when  making  this  comparison.  Coast  Guard 
mishap  data  are  currently  stored  in  several  databases  (i.e., 
MISREP  and  CASREP).  Also,  be  certain  that  mishaps  are  not 
double  counted  when  compiling  data  from  these  databases. 

Example: 

Class  A/B  mishaps  over  a  1 0-year  period  =  1 
Frequency  of 

Class  A/B  mishaps  =  1/10 

=  0.1  Class  A/B  mishaps 
per  year  for  the  unit  class 


Coast  Guard  IRA  Monual 


5-65 


Coarse  Hazard  Analysis 


Performing  an  Analysis 


Step  4.G.2 

Compare  the  historical  mishap  frequency  with  the  estimated 

mishap  frequency 

Performing  an  Analysis 


Step  5  Evaluate  the  Benefit  of  Risk  Reduction 
Recommendations 

Each  recommendation  from  the  coarse  hazard  analysis  is  de¬ 
signed  to  reduce  the  risk  associated  with  the  deviations  discussed 
during  the  analysis.  These  recommendations  may  serve  as  pre¬ 
ventive  or  mitigative  safeguards,  and  may  apply  to  more  than 
one  deviation. 

This  section  provides  a  means  to  estimate  the  dollar/year  savings 
due  to  the  reduced  risk  realized  by  implementing  recommenda¬ 
tions.  The  dollar  savings  can  be  compared  to  the  implementation 
cost  of  the  recommendation  in  a  cost/benefit  analysis.  Decision 
makers  will  use  this  cost/benefit  analysis  to  decide  if  a  recom¬ 
mendation  should  be  implemented. 
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Step 


Determine  revised  frequency  scores  and  RINs 


The  benefit  of  implementing  each  coarse  hazard  analysis 
recommendation  is  estimated  by  determining  the  potential 
reduction  in  frequency  scores  of  deviations  affected  by  the 
recommendations. 


Coarso  Hazard  Analysis 
Recommendations 

Associated 

Deviations 

initial 

Frequencies 
and  RIN 

Revised 
Frequencies 
and  RIN 

Certainty 
in  Revised 
RIN 

Notes 

Recommendation  1- 
Consider  improving  the 
ability  of  bridge  and  deck 
watchstanders  to  view 
towing  operations  and 
towed  vessels  by  relocating 
the  am 

Towing 

Operating  vessels/ 
craft 

Incorrect  position/ 
direction/speed 

2.  3,4 

0.009 

1.2,3 

0.0009 

Med 

Towing 

Operating  vessels/ 
craft 

Physical  hazards 
exposure 

2.  4.5 

0.063 

2.  4.6 

0.063 

High 

No  significant 
risk  reduction 
expected 

Recommendation  2- 
Consider  improving  the 
towing  gear  to  increase 
deck  crew  efficiency  and 
reduce  their  exposure  to 
physical  hazards 

Towing 

Operating  deck 
equipment 

Physical  hazards 

1.3,7  1 

3.003 

2,  3,4 

0.009 

Low 

Steps  to  determine  revised  frequency  scores  and  RINs 

5.A.1  Identify  deviations  associated  with  each  recommenda¬ 
tion 

5.A.2  Estimate  revised  mishap  frequency  scores  and  RINs  for 
each  deviation 

5.A.3  Determine  the  certainty  of  the  estimates 
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Step  5  JLl  Identify  the  deviotions  ossoeiated  with  each  recommendation 
ond  their  frequency  scores  ond  RlNs 
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Step  5  JL2  Estimate  revised  Class  A/B,  Class  C,  and  Class  D  frequency 
scores  for  each  deviotion  offected  by  the  recommendation 
and  calculate  revised  RlNs 


Coarse  Hazard  Analysis 
Recommendations 

Associated 

Deviations 

Initial 

Frequencies 
and  RIN 

Recommendation  t- 
Consider  improving  the 

Towing 

Operating  vessels/ 

2.  3,4 

ability  of  bridge  and  deck 
watchstanders  to  view 
towing  operations  and 

craft 

Incorrect  position/ 
direction/speed 

0.009 

towed  vessels  by  relocating 
theClWS 

Towing 

Operating  vessels/ 
craft 

Physical  hazards 
exposure 

2.  4,5 

0.063 

Recommendation  2- 
Consider  improving  the 

Towing 

Operating  deck 

1.3.7 

towing  gear  to  increase 
deck  crew  efficiency  and 
reduce  their  exposure  to 
physical  hazards 

equipment 

Physical  hazards 

3.003 

Revised 
Frequencies 
and  RIN 


Certainty 
In  Revised 

RIN  Notes 


Note: 

Assume  that  the  recommendation  is  effectively  implemented. 


For  each  deviation,  estimate  new  frequency  scores  with  the 
recommendation  (new  safeguard)  in  place.  It  may  be  necessary 
to  review  the  coarse  hazard  analysis  tables  to  understand  the 
causes,  mishaps,  and  safeguards  associated  with  the  deviation. 
Calculate  a  revised  RIN  using  the  new  frequency  scores. 


RIN  =  (0.3  *  +  0.03  *  10(^^  +  0.003  *  ?0<“>  )/W,000 
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Step  5  A.3  Determine  the  certainty  in  the  estimote  of  the  revised 
frequency  scores  and  provide  any  pertinent  notes 


Coarse  Hazard  Analysis 
Recommendations 

Associated 

Deviations 

Initial 

Frequencies 
and  RIN 

Revised 
Frequencies 
and  RIN 

Certainty 
in  Revised 
RIN 

Notes 

Recommendation  U 
Consider  improving  the 
ability  of  bridge  and  deck 
watchstanders  to  view 
towing  operations  and 

Towing 

Operating  vessels/ 
craft 

incorrect  position/ 
direction/speed 

Z3.4 

0.009 

1.2.3 

0.0009 

Med 

towed  vessels  by  relocating 
tbeCIWS 

Towing 

2. 4.5 

2. 4.5 

High 

No  significant 
risk  reduction 
expected 

Operating  vessels/ 
craft 

Physical  hazards 
exposure 

0.063 

0.063 

Recommendation  2- 

Towing 

1,3.7 

2.  3.4 

Low 

Consider  improving  the 

Operating  deck 

towing  gear  to  increase 

equipment 

3.003 

0.009 

deck  crew  efficiency  and 

Physical  hazards 

reduce  their  exposure  to 

physical  hazards 

Note: 

Decision  makers  will  have  to  consider  whether  frequencies  in 
the  Low  certainty  category  should  be  used  when  determining 
the  dollar  benefit  of  the  reduced  risk. 


The  certainty  characterizes  the  confidence  in  the  assessment  of 
the  frequency  scores.  The  certainty  categories  are  High,  Me¬ 
dium,  and  Low,  and  are  explained  in  Step  3.B. 
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1.  Determine  the 
scope  of  the 
coarse  hazard 
analysis 


B.1  Sum  the  baseline 
RiNs  and  revised  RINs  of 
deviations  associated  with 
the  recommendation 


12.  Screen  low  risk  I 
ops/evs, 
functions, 
deviations,  and 
locations 


3.  Analyze 
deviations 


B.2  Subtract  the  revised 
RIN  from  the  baseline  RIN 


A.  Determine 
revised  frequency 
scores  and  RINs 


^B.3  Multiply  the  chang^ 
in  RIN  by  10, 000  for  the 
lower  bounds  of  $/year 
savings 


4.  Generate  a  risk 
profile 

5.  Evaluate  the 
benefit  of  risk 
reduction 
recommendations 

T 


B.  Determine  the 
benefit  of 
implementing 
recommendations 


B.4  Multipiy  the  lower 
bounds  by  10  for  the  upper 
bounds  of  $/year  savings 


B.5  Compare  the 
estimated  range  of  dollar 
savings  for 
alt  recommendations 


Step  5.B 


Determine  the  benefit  of  implementing  recommendations 


The  potential  benefit  gained  from  implementing  a  recommen¬ 
dation  can  be  calculated  by  determining  the  change  in  the  risk 
index  numbers  for  the  deviations  affected  by  the  recommenda¬ 
tions. 


Recommendation 

Deviation 

Baseline 

RIN 

Revised 

RiN 

Change 
in  RIN 

Risk  Reduction  ($/year) 

Lower 

Upper 

1 

1 

0.006 

0.0006 

0.089 

890 

8,900 

2 

0.09 

0.0063 

3 

- 

- 

4 

0.36 

0.36 

Total 

0.456 

0.3669 

2 

1 

0.36 

0.009 

2 

0.36 

0.0063 

3 

- 

- 

Total 

0.72 

0.0153 

0.70 

7,000 

70,000 
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Steps  to  determine  the  benefit  of  implementing  recommendations 

5.B.1  Sum  the  baseline  RINs  and  revised  RINs  of  deviations 
associated  with  the  recommendation 

5.B.2  Subtract  the  revised  RIN  from  the  baseline  RIN 

5.B.3  Multiply  the  change  in  RIN  by  10,000  for  the  lower 
bounds  of  $/year  savings 

5.B.4  Multiply  the  lower  bounds  by  10  for  the  upper  bounds 
of  $/year  savings 

5.B.5  Compare  the  estimated  range  of  dollar  savings  for  all 
recommendations 
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Step  5.B.  1  Sum  the  boseline  BINs  and  revised  RlNs  of  deviations 
associated  with  the  recommendation 


Recommendation  Deviation 


Baseline  Revised  Change 


Risk  Reduction  ($/year) 


Total  I  0.72 


Note: 

Decision  makers  will  have  to  consider  whether  deviations 
with  RIN  in  the  low  certainly  category  should  be  used  when 
determining  the  dollar  benefit  of  the  reduced  risk 


Coast  Guard  IRA  Manual 


Performing  an  Jlnalvsis 


Coarse  Hazard  Analysis 


Step  S.B.2  Subtract  the  revised  BIN  from  the  baseline  BIN  to  determine 
the  chonge  in  BIN 


Coarse  Hazard  Analysis 
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Step  5«B*3 


Multiply  the  change  in  BIN  by  10,000  for  the  lower  bounds  of 
$/yeor  sovings  from  the  risk  reduction 


Recommendation 

Deviation 

Baseline 

RIN 

Revised 

RIN 

Change 
in  RIN 

Risk  Reduction  ($/year) 

Lower 

Upper 

1 

1 

0.006 

0.0006 

0.089 

2 

0.09 

0.0063 

3 

- 

- 

4 

0.36 

0.36 

Total 

0.456 

0.3669 

890 

2 

1 

0.36 

0.009 

0.70 

2 

0.36 

0.0063 

3 

- 

- 

Total 

0.72 

0.0153 

7,000 

The  equation  for  calculating  RIN  is  the  risk  equation  divided  by 
10,000,  and  is  derived  using  the  lower  limits  of  the  frequency 
categories.  Multiplying  the  RIN  by  1 0,000  results  in  risk  values 
stated  in  terms  of  potential  dollar  savings  on  a  yearly  basis.  This 
value  is  the  lower  bounds  of  the  estimated  savings  since  it  is 
based  on  the  lower  bounds  of  the  frequency  categories. 
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Step  5.B.4 


Multiply  the  lower  bounds  by  10  for  the  upper  bounds  of 
$/yeor  sovings  from  the  reduced  risk 


Recommendation 

Deviation 

Baseline 

RIN 

Revised 

RIN 

Change 
in  RIN 

Risk  Reduction  ($/year) 

Lower 

Upper 

1 

1 

0.006 

0.0006 

0.089 

890 

2 

0.09 

0.0063 

3 

- 

- 

4 

0.36 

0.36 

Total 

0.456 

0.3669 

8,900 

2 

1 

0.36 

0.009 

2 

0.36 

0.0063 

3 

- 

- 

Total 

0.72 

0.0153 

0.70 

7,000 

70,000 

The  frequenqr  categories  represent  ranges,  and  these  ranges 
cover  an  order  of  magnitude.  Since  the  RIN  equation  is  derived 
from  the  lower  frequency  bounds,  the  upper  bounds  of  estimated 
risk  reduction  are  determined  by  multiplying  the  lower  bounds 
by  1 0.  The  upper  bounds  are  the  maximum  estimated  $/year 
savings  potentially  realized  from  implementing  the  recommenda¬ 
tion. 


Coast  Guard  IRA  Manual 


5-77 


Coarse  Hozard  Analysis 


Performing  an  Analysis 


Step  5.B.5  Compare  the  estimated  range  of  dollar  savings  for  all 
recommendations 

The  estimated  range  of  dollar  savings  of  each  recommendation 
can  be  compared  in  several  ways  (see  graph  below).  The  com¬ 
parison  allows  decision  makers  to  decide  which  recommenda¬ 
tion  should  be  implemented  and  in  what  order.  In  the  graph, 
savings  is  represented  over  a  50-year  period  (expected  life  of  a 
new  vessel)  by  multiplying  the  savings  calculated  in  the  step 
above  by  50.  For  a  unit  currently  in  operation,  an  appropriate 
period  of  time  should  be  chosen.  The  cost  of  implementing  the 
recommendation  (out  of  the  scope  of  the  IRA  process)  can  be 
included,  as  below,  to  assist  decision  makers  in  deciding 
whether  to  proceed  with  implementation  or  not. 

Displaying  all  recommendations  together  allows  comparison  of 
recommendations  so  that  resources  can  be  spent  on  the  most 
effective  recommendations  first. 
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Recommendations 

*  A  reasonable  estimate  of  savings  is  only  possible  after  further  review. 

't  Savings  estimate  assumes  Class  A/B  mishaps  cost  $300,000  and  Class  C/D 
mishaps  cost  $30,000. 

^  Estimated  total  cost  of  implementing  recommendation. 

Note:  Savings  shown  account  for  50-year  life  of  a  vessel. 
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Updating  an  Analysis 


The  IRA  Coarse  Hazard  Analysis 

■  Introduction 

■  Performing  a  coarse  hazard  anolysis 


■  Updating  a  coarse  hazard  analysis 


■  Information  exchange  between  the  coarse 
hazard  analysis  and  the  risk-based  safety 
survey 

■  Making  decisions  using  the  coarse  hazard 
analysis 

■  Evaluating  change  using  a  coarse  hazard 
analysis 


Updating  a  Coarse  Hazard  Analysis 

The  coarse  hazard  analysis  information  will  occasionally  need  to 
be  updated  to  ensure  that  an  accurate  assessment  of  risk  is 
maintained  for  each  unit  class.  Potential  reasons  to  update  the 
information  include: 

•  Addition,  deletion,  or  modification  of  significant  unit  equip¬ 
ment  or  systems 

•  Addition,  deletion,  or  modification  of  significant  administra¬ 
tive  processes  or  procedures 

•  Significant  reduction  or  addition  of  manpower  for  critical 
operations 

•  Introduction  of  new  hazards  not  previously  assessed 

•  An  increase  in  mishaps  or  near  misses 

There  are  two  methods  to  update  the  coarse  hazard  analysis 
information: 

1 .  Updating  the  information  using  the  coarse  hazard 
analysis  process 

The  simplest  way  to  update  the  information  in  the  coarse 
hazard  analysis  is  to  re-analyze  the  section  or  sections  of  the 
analysis  requiring  the  update.  This  is  accomplished  by  repeat¬ 
ing  the  steps  described  in  performing  the  coarse  hazard  analy¬ 
sis. 

2.  Updating  the  information  using  the  IRA  safety  survey 
process 

The  coarse  hazard  analysis  information  can  be  updated  using 
historical  data  from  the  safety  survey  process.  This  method  is 
discussed  in  the  risk-based  safety  survey  section  of  the  manual. 
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The  niA  Coarse  Hazard  Analysis 

■  Introduction 

■  Performing  a  coarse  hazard  analysis 

■  Updating  a  coarse  hazard  analysis 


■  Information  exchange  between  the  coarse 
hazard  analysis  and  the  risk-based  safety 
survey 


■  Making  decisions  using  the  coarse  hazard 
analysis 

■  Evaluating  change  using  a  coarse  hazard 
analysis 


Information  Exchange  Between  the  Coarse  Hazard 
Analysis  and  the  Risk-based  Safety  Survey 


list  of  Coast  Guard  aafeguarda 


Dapandabiltty  of  aaftguarda 


Risk  characterization  of  deviations 


<  Risk-based  recommendations  for 
modifying  requirements 

<  Risk-based  recommendations  for 
modifying  evaluation  points 


Safeguards  Identified  In 
the  hazard  analysis 


Coarse  Hazard  Analysis  <=>  Risk-based  Safety  Survey 

I.  Risk  characterization  for  deviations 
The  safety  survey  process  uses  the  risk  characterization  of 
deviations  to  characterize  survey  findings.  By  trending  findings, 
the  dependability  of  safeguards  can  be  analyzed.  It  may  be 
necessary  to  adjust  the  risk  scores  associated  with  certain 
deviations  to  reflect  the  historical  safeguard  information  from 
the  safety  surveys. 
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2.  Risk-based  recommendations  for  adding/modifying/deleting 
requirements  or  evaluation  points 

While  evaluating  possible  deviations  that  may  lead  to  mis¬ 
haps,  coarse  hazard  analysis  teams  may  identify  that  a  Coast 
Guard  requirement  should  be  (1)  added  to  provide  an  addi¬ 
tional  safeguard  or  to  make  an  existing  safeguard  more 
effective,  (2)  modified  to  make  an  existing  safeguard  more 
effective  or  its  implementation  less  burdensome,  and/or  (3) 
eliminated  because  of  marginal  (or  no)  benefit. 

3.  Required  safeguards  identified  during  the  coarse  hazard  analy¬ 
sis 

The  coarse  hazard  analysis  identifies  safeguards  necessary  to 
achieve  an  acceptable  level  of  risk.  Requirements  and  evalua¬ 
tion  points  ensure  these  safeguards  are  effectively  performing 
their  design  intent. 

Risk-based  Safety  Survey  o  Coarse  Hazard  Analysis 

1 .  List  of  Coast  Guard  safeguards 

The  requirements  v/ithin  the  safety  surveys  define  hov/  the 
Coast  Guard  will  implement  safeguards  to  prevent  mishaps. 
These  requirements  and  safeguards  provide  the  bases  for 
coarse  hazard  analysis  teams  to  judge  whether  the  risk  of 
possible  deviations  is  acceptable. 

2.  Information  about  the  dependability  of  safeguards 

Summaries  of  frequencies/severities  of  nonconformances 
from  Coast  Guard  requirements  during  past  surveys  help 
hazard  analysis  teams  judge  the  dependability  of  safeguards 
in  preventing  mishaps. 
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The  IRA  Coarse  Hazard  Analysis 

■  Introduction 

■  Performing  a  coarse  hazard  analysis 

■  Updating  a  coarse  hazard  analysis 

■  Information  exchange  between  the  coarse 
hazard  analysis  and  the  risk-based  safety 
survey 


■  Making  decisions  using  the  coarse  hazard 
analysis 


■  Evaluating  change  using  a  coarse  hazard 
analysis 


Making  Decisions  Using  the  Coarse  Hazard  Analysis 

The  IRA  hazard  analysis  results  allow  decision  makers  to  incor¬ 
porate  risk-based  information  into  the  Coast  Guard  decision¬ 
making  process.  This  section  describes  the  ways  the  Coast 
Guard  decision  makers  — 

•  Procurement  managers 

•  Engineering  managers 

•  Facilities  managers 

•  Unit  commands 

•  Unit  safety  managers 

•  Senior  management 

use  the  hazard  analysis  results  in  the  following  Coast  Guard 
activities: 

•  Procurement 

•  Construction,  fabrication,  and  commissioning 

•  Unit  operations  and  maintenance 

•  Area,  district,  or  group  management  of  operations  and 
maintenance 

•  Decommissioning 

For  each  activity,  the  following  table  provides  typical  uses  of 
the  hazard  analysis  that  support  the  activity,  example  outcomes 
from  using  the  hazard  analysis,  and  the  applicable  hazard 
analysis  results  required  to  achieve  the  outcome.  Only  the 
activities  that  are  applicable  to  a  specific  decision  maker  are 
listed. 
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Type  of  Activity 

Decision  Maker 

Use  of  Hazard  Analysis 

Example  Outcomes 

Applicable  Hazard 
Analysis  Results 

Procurement 

Procurement 

Managers 

Engineering 

Managers 

Facilities  Managers 

Identification  of  major  hazards 
(including  human  factors  issues) 
and  required  hazard  controls  while 
developing  bid  specifications  for 
major  acquisitions  (e.g.,  new 
vessels  or  major  onboard  systems) 

Requiring  built-in  redundancy  for 
specific  components  of  a  vessel's 
automated  navigation  system 

1.  Hazards  and  required 
safeguards 

2.  Recommendations  for 
reducing  risk 

Vessel  Safety 
Managers 

Senior  Management 

Risk-based  selection  (including 
consideration  of  other  factors,  such 
as  cost)  among  competing  design 
alternatives  for  major  acquisitions 

Determining  (and  documenting) 
that  Design  A  provides  "best  value" 
to  the  Coast  Guard  because  it 
poses  significantiy  less  risk  of 
major  losses  than  Design  B.  which 
is  slightly  less  expensive 

1.  Hazards  and  required 
safeguards 

2.  Risk  impact  of  alternatives 

3.  Risk  ranking  of  design 
alternatives 

Construction, 
Fabrication,  and 
Commissioning 

Engineering  Managers 

Facilities  Managers 

Vessel  Safety 
Managers 

Identification  of  design 
weaknesses,  safe  operating  limits, 
critical  preventive  maintenance 
tasks,  human  factors  issues,  etc., 
for  selected  systems  (i.e.,  those 
that  could  lead  to  losses  of  interest) 
after  the  final  design  is  complete  for 
major  acquisitions 

1.  Requiring  an  audible  alarm  and 
semiannual  calibration  of 
fathometers  for  a  vessel 

2.  Requiring  the  use  of  a  chain  fall 
to  lower  and  raise  the  safety 
nets  around  the  flight  deck  of 
WHEC-378S 

1.  Hazards  and  required 
safeguards 

2.  Recommendations  for  risk 
reduction 

Evaluation  of  proposed  changes 
and  identified  nonconformances 
from  the  approved  design 

Approving  a  proposed  field  change 
(or  a  recognized  nonconformance) 
in  the  routirig  of  a  high-pressure 
steam  line  because  the  new  routing 
poses  no  identifiable  increase  in 
risks  to  personnel  or  equipment 

1.  Hazards  and  required 
safeguards 

2.  Changes  in  risk  due  to  design 
modifications 

Vessel  Operations  and 
Maintenance 

Engineering  Managers 

Facilities  Managers 

Vessel  Commands 

Vessel  Safety 
Managers 

Identification  of  precautions  to  be 
taken  in  performing  operations 
outside  of  prescribed  limits  (case- 
by-case  basis  for  decisions  made 
by  vessel-board  personnel) 

Establishing  more  stringent 
maneuvering  restrictions  and 
additional  watch  requirements  for 
performing  a  search  and  rescue 
(SAR)  operation  in  extreme  weathei 
conditions  that  would  normally 
cause  discontinuation  of  the 
operation 

1.  Hazards  due  to  abnormal 
conditions 

2.  Changes  in  risk  due  to  the 
abnormal  conditions 

3.  Additional  safeguards  for 
abnormal  conditions 

Identification  of  precautions  to  be 
taken  in  preparation  for  performing 
operations  when  relevant  vessel 
systems  will  be  unavailable  (case- 
by-case  basis  for  operations/ 
efficiencies  identified  by  vessel- 
board  personnel) 

1.  Additional  precautions  when  an 
interlock  on  an  elevator  door  is 
out  of  service 

2.  Posting  additional  watches  and 
conducting  special  operations 
briefings  before  conducting  an 
operation 

1.  Hazards  during  abnormal 
conditions 

2.  Changes  in  risk  due  to  the 
abnormal  conditions 

3.  Additional  safeguards  for 
abnormal  conditions 

Evaluation  of  proposed  changes 
and  identified  nonconformances 
from  the  standard  vessel 
configuration  (case-by-case  basis 
for  changes  suggested  and 
approved  by  vessel-board 
personnel) 

Rejecting  a  request  to  temporarily 
store  equipment  on  the  deck  while 
a  storage  locker  is  being  replaced 
because  the  movement  of  the 
equipment  under  expected  high 
seas  could  lead  to  losses  of 
interest 

1.  Hazards  due  to  modified 
vessel  configurations 

2.  Changes  in  risk  due  to 
modified  vessel 
configurations 

Identification  of  weaknesses  in 
procedures  that  could  lead  to 
losses  of  interest  (case-by-case 
basts  for  procedures  developed  anc 
approved  by  vessel-board 
personnel) 

Revising  vague  steps  of  a 
procedure  (e.g.,  "open  the  valve 
slightly"),  because  a  human  error 
associated  with  the  operation  could 
lead  to  a  loss  of  interest 

1.  Hazards  and  required 
safeguards 

2.  Recommendations  for  risk 
reduction 
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Type  of  Activity  Decision  Maker 


Area,  District,  or 
Group  Management  of 
Operations  and 
Maintenance 


Facilities  Managers 

Vessei  Safety 
Managers 

Senior  Management 


Use  of  Hazard  Anaiysis 

Example  Outcomes 

Applicable  Hazard 
Analysis  Results 

identification  of  design 
weaknesses,  safe  operating  limits, 
critical  preventive  maintenance 
tasks,  human  factors  issues,  etc., 
for  selected  systems  (i.e..  those 
that  could  lead  to  losses  of  interest) 
aboard  existing  ships  that  did  not 
receive  such  reviews  before  being 
placed  in  operation 

1.  Recommendations  for  side- 
scanning  sonar  to  detect 
submerged  objects  for  cutters 
traveling  around  reefs 

2.  Recommending  redesign  of  a 
small  craft  launching  system 
component  that  could 
inadvertently  trigger  a  release  of 
a  boat 

1.  Hazards,  required 
safeguards,  and 
recommendations 

2.  Vessel  risk 

Identification  of  design 
weaknesses,  safe  operating  limits, 
critical  preventive  maintenance 
tasks,  human  factors  issues,  etc., 
for  selected  systems  (i.e.,  those 
that  could  lead  to  losses  of  interest) 
aboard  existing  ships  that  did  not 
receive  such  reviews  before  being 
placed  in  operation 

1.  Recommendations  for  side¬ 
scanning  sonar  to  detect 
submerged  objects  for  cutters 
traveling  around  reefs 

Z  Recommending  redesign  of  a 
small  craft  launching  system 
component  that  could 
inadvertently  trigger  a  release  ol 
a  boat 

1.  Hazards,  required 
safeguards,  and 
recommendations 

2.  Vessel  risk 

Identification  of  safe  operating 
limits  (from  an  operations/ 
command  perspective  rather  than  a 
hardware  system  design 
perspective,  which  was  addressed 
during  design  reviews)  and 
preferred  precautions  to  be  taken  if 
operating  outside  of  such 
restrictions 

Prohibiting  aircraft  fueling 
operations  ar^d  other  flammable 
material  handling  activities  until 
disabled  onboard  firefighting 
systems  are  returned  to  service,  bu 
allowing  emergency  fueling 
operations  if  another  onboard  pump 
can  be  rigged  to  temporarily  provide 
adequate  firefighting  capability 

1.  Hazards  and  required 
safeguards 

2.  Recommendations  for 
reducing  risk 

3.  Changes  in  risk  when 
operating  out  of  the 
restrictions 

Identification  of  critical  training 
topics,  standard  procedures 
necessary,  etc.,  for  preventing 
losses  of  Interest 

Deciding  to  write  a  special 
procedure  and  conduct  special 
training  for  the  proper  way  to  launct 
a  new  type  of  smalt  craft  (because 
the  operation  is  significantly 
different  from  similar  operations 
with  older  small  craft) 

Hazards,  required  safeguards, 
and  recommendations 

Identification  of  weaknesses  in 
procedures  and  human  factors 
issues  that  could  lead  to  losses  of 
interest  (for  standard  procedures 
applicable  to  a  class  of  vessels  or 
the  entire  fleet) 

Making  the  units  of  pressure 
referenced  in  a  pror^ure  (e.g.,  SI 
units)  consistent  with  those 
commonly  used  aboard  a  vessel 
and  on  the  vesseTs  gauges  (e.g., 
English  units)  to  help  prevent 
confusion  that  could  lead  to  an 
operating  error 

Hazards,  required  safeguards, 
and  recommendations 

Evaluation  of  proposed  changes  for 
standard  vessel  configurations 
(case-by-case  basis  for  changes 
approved  by  group/fleet  officers) 

Deciding  (1)  against  a  crew 
reduction  aboard  an  MEC  270 
cutter  because  of  unacceptable 
risks  associated  with  degraded 
watch  standards  or  (2)  in  favor  of  a 
aew  reduction  provided  that  each 
vessel  is  equipped  with  new 
navigation  and  vessel  detection 
systems 

Changes  in  risk  due  to  modified 
vessel  configurations 
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Type  of  Activity 

Decision  Maker 

Use  of  Hazard  Anaiysis 

Example  Outcomes 

Applicable  Hazard 
Analysis  Results 

Area,  District,  or 

Group  Management  of 
Operations  and 
Maintenance 
(continued) 

Engineering  Managers 

Facilities  Managers 

Vessel  Safety 

Monitoring  profiles  of  risks  for 
classes  of  vessels  across  the 

Coast  Guard  to  help  understand/ 
manage  risks  at  a  fleet  level 

Determining  that  a  specific  dass  of 
vessel  is  the  next  to  receive  a  major 
overhaul  (or  replacement)  program 
because  of  high  loss  rates 

Risk  profiles  for  vessel  dasses 

Managers 

Senior  Management 

Assigning  measures  of  importance 
to  safety  inspection  items  to  help 
prioritize  responses  to  noted 
deficiencies 

Deferring  resolution  of  a  few 
defidendes  noted  during  a  safety 
inspection  until  next  fiscal  year 
because  the  defidendes  do  not 
pose  any  significant  risks  of  losses 

Hazards  and  required 
safeguards 

Risk<based  selection  Onduding 
consideration  of  other  factors,  such 
as  cost)  among  competing 
alternatives  such  as  vessel 
deployment  mission  assignments, 
etc. 

Deciding  to  send  Vessel  A  on  an 
extended  international  tour  because 
the  potential  for  losses  associated 
with  (1)  its  tour  and  (2)  its  absence 
from  its  normal  station  are  less 
than  those  for  Vessel  B 

1.  Risk  ranking  of  vessel  dass 
operations/evolutions  and 
functions 

2.  Risk  profiles  for  vessel 
dasses 

Decommissioning 

Facilities  Managers 

Senior  Management 

Risk-based  selection  (including 
consideration  of  other  factors,  such 
as  cost  arKi  political  pressure) 
among  competing  alternatives  for 
vessel/station  decommissioning 

Deciding  (and  gaining  support  for 
the  dedsion)  to  decommission 
Vessel  B  instead  of  Vessel  A,  even 
though  there  is  some  political 
support  for  keeping  Vessel  B  in 
senrice 

Risk  profiles  of  vessels 

Identification  of  weaknesses  in 
equipment  used  for 
decommissioning  and  associated 
procedures  that  could  lead  to 
losses  of  Interest 

Modifying  the  equipment  and 
procedures  used  to  de-inventory 
hazardous  materials  from  a  vessel 
while  the  vessel  is  being 
decommissioned 

1.  Hazards  and  required 
safeguards 

2.  Recommendations  for 
redudng  risk 

Coarse  Hazard  Analysis 


Evaluating  Change 


The  IRA  Coarse  Hazard  Analysis 

Introduction 

Performing  a  coarse  hazard  analysis 
Updating  a  coarse  hazard  analysis 

Information  exchange  between  the  coarse 
hazard  analysis  and  the  risk-based  safety 
survey 

Making  decisions  using  the  coarse  hazard 
analysis 


1 .  Determining  the 
impact  on  risk  due 
to  the  change 


2.  Quantifying  the 
impact  the  change 
has  on  risk 


Evaluating  Change  Using  a  Coarse  Hazard  Analysis 


An  important  use  of  the  hazard  analysis  is  to  evaluate  how 
change  affects  risk.  Change  includes: 

•  Addition,  deletion,  or  modification  of  equipment  or  systems 

•  Addition,  deletion,  or  modification  of  administrative  pro¬ 
cesses  or  procedures 

•  Addition  or  reduction  of  manpower 

•  Introduction  of  new  processes,  operations,  materials,  etc. 

Understanding  how  change  affects  risk  is  critical  when  making 
decisions  concerning  the  change.  This  section  discusses  how  to 
evaluate  change  using  the  coarse  hazard  analysis. 
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Determining 
the  impact  on 
risk  due  to  the 
change 


2.  Quantifying  the 
impact  the  change 
has  on  risk 


A.  Identify  the 
deviations  affected 
by  the  change 


B.  Estimate  new 
frequency  scores 
and  RiNs  due  to 
the  change 


C.  Determine  the 
certainty  of  the 
estimates 


Step  1  Determine  the  Impact  on  Risk  Due  to  the  Change 


Determining  the  impact  on  risk  due  to  a  change  is  accomplished 
by  determining  the  potential  increase  or  decrease  in  frequency 
scores  of  the  deviations  affected  by  the  change. 


Note: 

At  the  conclusion  of  this  analysis  (determining  the  impact  on 
risk  due  to  a  change),  it  may  be  necessary  to  recommend 
ways  to  reduce  risk  caused  by  implementing  the  change. 


Change 

Associated  Deviation(s) 

Initlai 

Frequencies 
and  RIN 

Revised 
Frequencies 
and  RIN 
Due  to  the 
Change 

Certainty  in 
Revis^ 

RIN 

1.  Replacement  of  the 
brake  and  winch  on 

Small  boat  launch/recovery 
Operating  tUting  equipment 

3. 3.4 

1.2.2 

Med 

the  MSB  mng/ 
towering  system  with 
a  winch  capable  of 

incorrect  load  position/ 
direction/speed 

0.036 

0.00063 

payin  and  payout 

Small  boat  launch/recovery 
Operating  lifting  equipment 
Loss  of  support 

2.  2.3 

0.0036 

1.1.2 

0.00036 

High 

Z  Addition  of  a  new 
high  power  radar 

Not  operation/evolution 
specific 

1.4,5 

1.4.5 

High 

system 

Providing  electronic  systems 
Electronic  systems  service 
quality  problems 

0.0603 

0.0603 

Not  operation/evolution 
specific 

Providing  electronic  systems 
Radiation  exposure 

1.3.5 

0.0333 

3,  5,4 

0.333 

Med 

affect  on  risk 
expected 
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Step  IJl  Identify  the  deviations  affected  by  the  change  and  their 
frequency  scores  and  RlNs 
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Step  1.B 


Estimate  revised  Class  A/B,  Class  C,  and  Class  D 
frequency  scores  for  each  deviation  affected  by  the 
change  and  calculate  new  BINs 


Change 

Associated  Devlatlon(s) 

Initial 

Frequencies 
and  RIN 

Revised 
Frequencies 
and  RIN 
Due  to  the 
Change 

Certainty  In 
Revised 
RIN 

Notes 

1,  Repiacementofthe 
brake  and  winch  on 
the  MSB  lifting/ 
lowering  system  with 
a  winch  capable  of 
payin  and  payout 

Small  boat  launch/recovery 
Operating  lilting  equipment 
Incorrect  load  position/ 
direction/spe^ 

3.  3.4 

0.036 

1.2.2 

0.00063 

Small  boat  launch/recovery 
Operating  lifting  equipment 
Loss  of  support 

2.2.3 

0.0036 

1.  1.2 

000036 

Z  Addition  of  a  new 
high  power  radar 
system 

Not  operatlon/evolutlon 
specific 

Providing  electronic  systems 
Electronic  systems  service 
quality  problems 

1.4.5 

0.0603 

1.4,  5 

0.0603 

Not  operatlon/evolutlon 
specific 

Providing  electronic  systems 
Radiation  exposure 

1.3.5  1 

0.0333 

3.  5,4 

0.333 

For  each  deviation,  estimate  new  frequency  scores  assuming 
the  change  has  taken  place.  It  may  be  necessary  to  review  the 
coarse  hazard  analysis  tables  to  understand  the  causes,  mis¬ 
haps,  and  safeguards  associated  with  the  deviation.  Calculate 
a  new  RIN  using  the  new  frequency  scores. 


Tip: 

RIN  =  (0.3  •  10(^01  +  0.03  *  +  0.003  *  j/70,000 


When  reviewing  the  deviations  to  determine  the  increase  or 

decrease  in  frequency  scores,  ask  the  following  questions: 

•  How  does  the  change  affect  administrative  procedures  and 
processes? 

•  How  does  the  change  affect  existing  hardware  and  systems? 

•  Does  the  change  improve  or  reduce  the  reliability  of  existing 
safeguards? 

•  Does  the  change  eliminate  existing  safeguards? 

•  Does  the  change  introduce  new  hazards? 

•  Does  the  change  indirectly  impact  other  operations,  systems,  or 
processes? 
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Evaluating  Change 


Step  l.C 


Determine  the  certainty  in  the  estimate  of  the  revised 
frequency  scores  and  proinde  any  pertinent  notes 


Change 

Associated  Deviation(s) 

Initial 

Frequencies 
and  RIN 

Revised 
Frequencies 
and  RIN 
Due  to  the 
Change 

Certainty  in 
Revised 

RIN 

1.  Replacement  of  the 
brake  and  winch  on 

Small  boat  launch/recovery 
Operating  lifting  equipment 

3.  3.4 

1.2.2 

Med 

the  MSB  lifting/ 
lowering  system  with 
a  winch  capable  of 

Incorrect  load  position/ 
direction/spe^ 

0.036 

0.00063 

payin  and  payout 

Smalt  boat  launch/recovery 
Operating  lifting  equipment 
Loss  of  support 

2. 2.3 

0.0036 

1.1.2 

0.00036 

High 

2.  Addition  of  a  new 
high  power  radar 

Not  operation/evolution 
specific 

1.4,5 

1.4,5 

High 

system 

Providing  electronic  systems 
Electronic  systems  service 
quality  problems 

0.0603 

0.0603 

Not  operation/evolution 
specific 

Providing  electronic  systems  '■ 
Radiation  exposure 

1.3,5 

0.0333 

3.  5.4 

0.333 

Med 

affect  on  risk 
expected 


The  certainty  characterizes  the  confidence  in  the  assessment  of 
the  frequency  scores.  The  certainty  categories  are  High,  Me¬ 
dium,  and  Low,  and  are  explained  in  Step  3.B  of  performing  a 
coarse  hazard  analysis. 
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1.  Determining  the 
impact  on  risk  due 
to  the  change 


2.  Quantifying 
the  impact  the 
change  has  on 
risk 


Evalnating  Change 


A.  Add  baseline 
and  revised  RlNs 
of  affected 
deviations 


B.  Subtract  the 
revised  RIN  from 
the  baseline  RIN 


C.  Multiply  the 
change  in  RIN  by 
10,000  for  lower 
bounds  of  impact 


D.  Multiply  the 
lower  bounds  by 
10  for  the  upper 
bounds  of  impact 


Quantifying  the  Impact  the  Change  Has  on  Risk 

The  cost  (negative  number)  or  savings  (positive  number)  due  to 
the  impact  on  risk  is  calculated  by  determining  the  increase  or 
decrease  in  the  RINs  for  the  deviations  affected  by  the  change. 


Revised 
RIN  Due  to 
the  Change 

Change  in  RIN 
(positive 
number 
is  a  reduction) 

$/Year  Change  in  Risk 
(positive  number  »  savings) 

Change 

Deviation 

Baseline 

RIN 

Lower 

Upper 

1 

1 

0.036 

0.00063 

2 

0.0036 

0.00036 

3 

0.36 

0.36 

Total 

0.3996 

0.36099 

0.039 

390 

3,900 

2 

1 

0.0603 

0.0603 

■ 

2 

0.0333 

0.333 

■ 

Total 

0.0936 

0.3933 

■ 

.3 

-3,000 

-30,000 
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Eyalnalino  Change 


Step  2 Jl  Add  baseline  and  revised  RlNs  of  affected  deviations 


□ 


Deviation 

Baseline 

RiN 

Revised 

RIN  Due  to 
the  Change 

1 

0.036 

0.00063 

2 

0.0036 

0.00036 

3 

0.36 

0.36 

1  Total 

0.3996 

0.36099 

1 

0.0603 

0.0603 

2 

0.0333 

0.333 

I  Total 

0.0936 

0.3933 

$/Year  Change  in  Risk 

Change  In  RIN  (positive  number  »  savings) 


(positive 

number 


Note: 

Decision  makers  will  have  to  consider  whether  deviations 
with  RIN  in  the  Low  certainty  category  should  be  used  when 
calculating  the  $/year  impact  on  risk. 
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Coarse  Hazard  Analysis 


Step  2.B  Subtract  the  revised 


Evaluating  Change 


from  the  baseline 
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EvalnatingjChaii^ 


Step  2.C 


Multiply  the  change  in  BIN  by  10,000  for  the  lower 
bounds  of  the  $/year  impact  on  risk 


Change 

Deviation 

Baseiine 

RIN 

Revised 
RIN  Due  to 
the  Change 

Change  In  RiN 
(positive 
number 
is  a  reduction) 

$/Year  Change  In  Risk 
(positive  number  »  savings) 

Lower 

Upper 

1 

1 

0.036 

0.00063 

0.039 

2 

0.0036 

0.00036 

3 

0.36 

0.36 

Total 

0.3996 

0.36099 

390 

2 

1 

0.0603 

0.0603 

-0.30 

2 

0.0333 

0.333 

Total 

0.0936 

0.3933 

-3,000 

The  equation  for  calculating  RIN  is  derived  using  the  lower 
limits  of  the  frequency  categories.  Multiplying  the  RIN  by 
10,000  results  in  risk  values  stated  in  terms  of  potential  dollars 
on  a  yearly  basis.  This  dollar  value  is  the  lower  bounds  of  the 
estimated  impact  on  risk  since  it  is  based  on  the  lower  bounds 
of  the  frequency  categories. 
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Evaluating  Change 


Step  2.D.  Multiply  the  lower  bounds  by  10  for  the  upper  bounds  of 
the  $/year  impoet  on  risk 


Deviation 

Baseline 

RIN 

Revised 

RIN  Due  to 
the  Change 

1 

0.036 

0.00063 

2 

0.0036 

0.00036 

3 

0.36 

0.36 

Total 

0.3996 

0.36099 

1 

0.0603 

0.0603 

2 

0.0333 

0.333 

Total 

0.0936 

0.3933 

$/Year  Change  In  Risk 

Change  In  RIN  (positive  number  »  savings) 
(positive 
number 


The  frequency  categories  represent  ranges  that  cover  an  order 
of  magnitude.  Since  the  RIN  equation  is  derived  from  the  lower 
frequency  bounds,  the  upper  bounds  of  estimated  risk  reduc* 
tion  are  determined  by  multiplying  the  lower  bounds  by  10. 

The  upper  bounds  are  the  maximum  estimated  $/year  impact 
due  to  the  increase  or  decrease  in  risk. 
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Section  6 

Monaging  o  Hozard  Anolysis  Project 


Introduction 


Managing  a  Hazard  Analysis  Project 


Managing  a  Hazard  Analysis  Project 

This  section  provides  guidance  for  coordinating  and  performing  a 
hazard  analysis. 

Topics  to  be  discussed: 

•  Scoping  a  hazard  analysis 

•  Identifying  process  participants  and  the  analysis  team 

•  Preparing  for  an  analysis 

•  Facilitating  the  analysis  meetings 

•  Documenting  the  analysis  meetings 

•  Writing  the  analysis  report 


&3 


Coast  Guard  IRA  Manual 


Managing  a  Hazard  Analysis  Proieet 


Scoping  an  Analysis 


Step  1  Scoping  a  Hazard  Analysis 

Defining  the  scope  of  a  hazard  analysis  is  critical  to  the  success 
of  the  analysis.  A  lack  of  clear  direction  can  waste  time  and 
resources  examining  parts  of  a  process  or  situations  that  may 
be  of  relatively  minor  interest  or  concern. 

The  scope  should  provide  the  boundaries  necessary  to  focus  the 
analysis  objectives.  However,  it  is  important  to  define  a  scope  that 
is  not  so  detailed  or  restrictive  that  it  stifles  the  hazard  analysis 
team.  The  team  must  have  the  latitude  to  exercise  good  judgment 
in  the  investigation  of  hazards  initially  outside  the  scope. 
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Managing  a  Hazard  Analysis  Project 


Scoging^nAnal^sis 

Step  LA  I  Define  the  objectives  of  the  analysis 

•  Determine  the  motivation  for  performing  the  analysis  (e.g.. 
Coast  Guard  management  concern,  unit  concern,  public 
concern,  regulatory  compliance) 

•  Determine  the  operating  modes  (e.g.,  operations/evolutions, 
functions,  locations)  to  be  considered 

•  Develop  a  "wish  list"  of  information  desired  from  the  analysis 

Step  1.B  Define  the  consequences  of  concern 

j  I  •  Public  injury 

- y  •  Coast  Guard  personnel  injury 

•  Equipment/property  damage 

•  Environmental  damage 

•  Revenue  loss 

•  Community  relations 


Step  l.C 


Define  the  physical  limits  of  the  analysis 

•  Boundaries  of  the  process/operation  (e.g.,  main  diesel  en¬ 
gine,  providing  potable  wafer  services,  towing,  USCGC 
MELLON,  WHEC-378S) 

*  Level  of  detail/limits  of  resolution  (e.g.,  coarse  hazard  analy¬ 
sis  or  detailed  hazard  analysis,  qualitative  or  quantitative) 


Step  1.D 


Define  the  assumpLons 


Clearly  defined  assumptions  help  ensure  a  consistent  analysis. 
Typical  assumptions  are  as  follows: 

•  The  object  or  process  being  analyzed  will  work  as  designed 

•  Equipment  is  fit  for  its  intended  use 

•  Trained  Coast  Guard  personnel  will  be  used 

•  Written  procedures  are  accurate 

•  Policies  are  enforced 
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Participants  and  Team 


Step  2 


Identifying  Process  Participants  and  the  Analysis  Team 


There  are  four  types  of  individuals  or  groups  v/ho  participate  in 
the  hazard  analysis  process.  They  include: 

Sponsor  —  This  individual  or  group  (e.g.,  a  unit  commanding 
officer,  Coast  Guard  management,  unit  safety  coordinator) 
determines  the  need  for  the  analysis  to  be  performed  on  a 
particular  unit.  The  sponsor  is  ultimately  responsible  for  ob¬ 
taining  results  from  the  process  and  typically  has  a  specific  use 
for  the  results. 


Analyst  —  This  individual  or  group  (e.g.,  MLC  Health  and  Safety 
personnel,  unit  safety  coordinator,  contractor)  is  responsible  for 
performing  the  analysis  on  a  particular  unit. 

Subject  matter  experts  —  This  group  (e.g.,  vessel  crew,  facility 
staff)  participates  in  the  analysis,  providing  expert  knowledge  and 
experience  about  unit  operations,  configurations,  and  hazards. 

Decision  maker  —  This  individual  or  group  (e.g.,  vessel  com¬ 
mand,  Coast  Guard  management.  Coast  Guard  Vessel  Safety) 
uses  the  hazard  analysis  process  results  to  make  risk-based 
decisions. 
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Participants  and  Team 


The  analysis  team  consists  of  analysts  and  subject  matter 
experts.  Often,  a  decision  maker  or  sponsor  will  kick  off  the 
analysis  by  explaining  the  importance  of  the  results  and  how  they 
will  be  used. 


The  following  provides  a  more  detailed  description  of  the 
analysis  team  members: 

Analysts  —  Analysts  are  either  team  leaders  or  scribes. 

Team  leader  —  organizes  and  facilitates  the  analysis 
Characteristics: 

•  Independent  of  subject  process/system  (i.e.,  not  the  process/ 
system  expert) 

•  Able  to  organize  and  negotiate 

•  Communicates  well  with  a  diverse  group 

•  Can  focus  group  energy  and  build  consensus 

•  Impartial,  honest,  and  ethical 

■  Expert  in  hazard  analysis  technique(s) 

Scribe  —  records  the  proceedings  of  the  analysis  in  an  orderly 
manner 

Characteristics: 

•  Attentive  to  detail 

•  Abie  to  organize 

•  Understands  technical  terminology 

•  Able  to  summarize  discussions 

•  Good  writing/typing  skills 

•  Understands  the  hazard  analysis  technique(s) 
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Participants  and  Team 


Subject  matter  experts  —  Subject  matter  experts  postulate 
causes,  estimate  consequences  of  deviations,  identify  safe¬ 
guards,  and  suggest  ways  to  address  unacceptable  risks. 

Characteristics: 

•  Enters  into  the  discussion  enthusiastically 

•  Contributes  his/her  experience 

•  Confines  the  discussion  to  the  specific  problem 

•  Listens  attentively  to  the  discussion 

•  Appreciates  other  team  members'  points  of  view 
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Preparing  for  an  Analysis 


Step  3  Preparing  for  an  Analysis 

Preparing  for  an  analysis  Is  just  as  crucial  as  performing  the 
analysis.  Poor  preparation  can  undermine  the  analysis.  The 
analyst(s)  and  sponsor  should  work  together  to  ensure  that  the 
analysis  runs  smoothly. 
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Step  3  Jl 


Step  3.B 


Step  3.C 


Select  the  right  team 

•  Team  size  should  be  four  to  eight  members 

•  Team  members  should  have  a  variety  of  experience  and 
expertise 

•  Team  members  must  be  objective 

■  Consider  and  balance  the  personality  traits  of  individuals  on 
the  team  (avoid  disruptive  people) 

•  Balance  the  positions  of  the  individuals  on  the  team  (i.e.,  the 
captain  or  facility  manager  may  intimidate  some  individuals, 
keeping  them  from  contributing) 

•  Consider  the  impact  on  operations 

Arrange  an  appropriate  meeting  room 

•  Room  should  be  large  enough  to  accommodate  the  team 
members 

•  Seating  arrangements  should  be  comfortable 

•  Onsite  location  that  accommodates  tours  and  inspections  is 
ideal  (offsite  location  may  be  necessary  if  team  members  are 
likely  to  be  interrupted  or  called  out  during  the  analysis) 

•  Room  should  be  near  restrooms  and  refreshments  if  possible 

•  Avoid  distractions  such  as  phones,  loud  speakers,  other 
noises,  etc. 

Define  a  meeting  schedule 

•  Normally,  meetings  should  not  exceed  4  to  6  hours  per  day 

•  Analysis  meetings  should  normally  not  last  more  than  4  or  5 
days  in  a  row  (typically,  large  analyses  will  meet  every  2  or  3 
weeks) 

•  The  analysis  should  be  scheduled  such  that  there  is  ample 
time  to  document  the  analysis  and  resolve  the  recommenda¬ 
tions  and/or  action  items 

•  Distribute  meeting  schedules  early  enough  for  team  members 
to  arrange  their  own  schedules 


Step  3.D 


Organize  informotion 


Prepare  documentation  tools  (e.g.,  worksheets  and/or 
software)  —  Whether  paper  or  software  is  used  to  document 
the  analysis,  the  documentation  tools  need  to  be  prepared  in 
advance. 


Gather  and  distribute  information  on  the  subject  to  be 
analyzed  —  The  team  leader  should  gather  all  appropriate 
drawings,  procedures,  policies,  etc.,  that  may  be  necessary  for 
reference  during  the  analysis.  If  appropriate,  this  information 
can  be  distributed  to  the  team  members  before  the  analysis  for 
their  review. 
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Facilitating  Meetings 


Step  4 


Facilitating  the  Analysis  Meetings 


The  team  leader  (analyst)  facilitates  the  analysis  meeting. 
Proper  organization  and  facilitation  make  the  analysis  run 
smoothly  and  promote  an  environment  conducive  to  meeting  the 
analysis  objectives.  Below  are  some  facilitation  tips  and  issues  to 
consider. 


1  General  meeting  guidelines 

^  •  Introduce  the  team  members 

•  Review  the  problem  scope  and  objectives 

•  Define  ground  rules  for  the  meeting  (e.g.,  equality  of  team 
members,  no  problem  solving) 

•  Discuss  the  meeting  schedule 

•  Perform  the  analysis  section  by  section 

•  Review  results  with  the  team 
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Facilitating  Meetings 


Qnestioning  teelmiqnes  for  the  analysis 

•  Ask  nonthreatening  questions: 

"What  factors  do  you  emphasize  when  training  new  person¬ 
nel?" 


or 

"What  kinds  of  problems  have  you  seen?" 

not 

"What  kinds  of  mistakes  have  you  made?" 

•  Treat  team  members  as  experts 

•  Solicit  details  of  past  incidents  and  ask  if  similar  situations  could 
recur 

•  Direct  questions  to  the  quiet  team  members 

•  Confine  yourself  to  asking  questions,  not  providing  answers 

□  Keys  to  a  sneeessfnl  meeting 

- ^  •  Listen  to  all  team  members 

•  Promote  participation;  avoid  criticism 

•  Take  frequent  breaks  to  keep  energy  level  high,  and  limit  meet¬ 
ings  to  4  to  6  hours  per  day 

•  Identify  ultimate  causes  and  consequences  of  deviations 

•  Keep  the  meeting  moving  forward 

___  Common  meeting  problems  to  ovoid 

- ^  •  Out-of-date  documentation 

•  ill-defined  design  intentions,  functions,  and  deviations 

•  Inadequate  information  to  understand  the  problem 

•  Side-tracked  discussions 

■  Digressing  into  designing  solutions 

Follow-up  activities 

- y  •  Identify  all  open  items  that  must  be  resolved 

•  Assign  a  person  and  schedule  for  each  open  item 

•  Review  all  recommendations  with  the  team 

•  Schedule  additional  meetings  as  necessary 
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Documenting  an  Jlnalysis 


Steps 


Documenting  the  Analysis  Meetings 


Each  analysis  technique  has  its  own  method  for  collecting,  orga¬ 
nizing,  and  reporting  analysis  data.  All  of  these  techniques  can  be 
performed  using  paper-based  worksheets  or  electronic  software 
tools  (general  purpose  software  or  technique-specific  tools). 


Using  dedicated  analysis  software  increases  the  efficiency  of  the 
analysis  process,  especially  in  the  reporting  phase.  Some  tech¬ 
niques  require  automation  to  be  practical  to  use.  Eventually, 
the  Coast  Guard  will  have  a  software  package  that  automates 
the  coarse  hazard  analysis  technique. 

Regardless  of  the  method  used  to  document  the  analysis,  it  is 
important  that  both  the  team  leader  and  scribe  be  intimately 
familiar  with  the  tools  and  be  able  to  explain  to  the  other  team 
members  the  documentation  process. 
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Step  6 


Writing  the  Analysis  Report 


Documenting  the  results  of  the  analysis  provides: 

•  evidence  that  the  study  was  performed  using  sound  practices, 

•  preserves  the  results  for  future  use, 

•  supports  other  activities  (e.g.,  procedures,  training,  mishap 
investigation),  and 

•  supports  good  risk  management  decisions. 


Documentation  requirements  should  be  defined  before  the 
analysis  is  performed  to  ensure  that  the  proper  information  is 
collected.  Below  is  a  list  of  the  key  topics  that  would  be  in¬ 
cluded  in  a  report: 


•  What  was  analyzed? 

•  Which  hazard  analysis  technique  was  used? 

•  How  were  the  regulatory  requirements  met? 

•  Who  performed  the  analysis? 

•  What  were  the  action  items? 

•  What  was  management's  response? 
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Writing  the  Report 


The  following  is  an  example  outline  of  a  hazard  analysis  re¬ 
port.  Reports  may  be  more  general  or  more  specific  than  this 
outline  depending  on  the  intended  audience  and  use  of  the 
documentation. 
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Detailed  Hazard  Analysis 


Introduction 


The  DEIA  Detailed  Hazard  Analysis 

m  Introduction 

■  Choosing  coarse  or  detailed  hazard 
analysis 

■  Selecting  a  detailed  hazard  analysis 
technique 

m  Estimating  resources  for  a  detailed 
hazard  analysis 
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The  IRA  Detailed  Hazord  Analysis 


■  Introduction 


■  Choosing  coarse  or  detailed  hazard 
analysis 

■  Selecting  a  detailed  hazard  analysis 
technique 

■  Estimating  resources  for  a  detailed 
hazard  analysis 


Detailed  Hazard  Analysis 


The  goal  of  Coast  Guard  detailed  hazard  analysis  is  to  supple¬ 
ment  the  coarse  hazard  analysis  methodology  for  situations  in 
which  more  detail  is  warranted.  The  detailed  hazard  analysis 
tools  included  in  the  IRA  process  are  standard  hazard/risk 
analysis  techniques  that  have  been  proven  through  many  years 
of  application  in  a  variety  of  industries.  The  following  is  a  list 
of  the  detailed  hazard  analysis  techniques  chosen  for  Coast 
Guard  use. 


J  Detailed  hazard  analysis  techniques  ior  Coast  Guard 
applications 

•  What-if/checklist 

•  Worker  and  instruction  safety  evaluation  (WISE)  analysis 

•  Hazard  and  operability  (HAZOP)  analysis 

•  Failure  modes  and  effects  analysis  (FMEA) 

•  Fault  tree  analysis/event  tree  analysis  (FTA/ETA) 

•  Human  reliability  analysis  (HRA) 

•  Common  cause  failure  analysis  (CCFA) 

Section  3,  Overview  of  Common  Hazard/Risk  Analysis  Method¬ 
ologies,  provides  a  brief  description  and  example  of  each  of  these 
techniques.  The  following  table  is  the  Coast  Guard  rationale 
for  selecting  detailed  hazard  analysis  and  specific  detailed 
hazard  analysis  techniques. 
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Technique 

Rationale  for  Selection 

What-if/Checklist 

The  simplicity  and  universal  applicability  of  what-if/checklist  analysis  made 
it  a  natural  choice  for  detailed  hazard  analysis  within  the  Coast  Guard 

Worker  and  Instruction 
Safety  Evaluation 
(WISE)  Analysis 

The  extensive  nature  of  human  involvement  (especially  procedural  tasks) 
in  virtually  every  Coast  Guard  mission/operation  makes  tools  for 
thoroughly  evaluating  human  error  very  important.  The  WISE  analysis 
methodology  combines  into  one  technique  an  awareness  of  how  people 
can  impact  processes  and  how  processes  can  affect  people 

Hazard  and  Operabiiity 
(HAZOP)  Analysis 

This  technique  is  similar  In  nature  to  WISE,  but  is  more  applicable  to  fluid 
and  thermal  systems,  which  are  abundant  on  Coast  Guard  vessels.  It 
provides  a  more  structured  approach  than  a  what-if/checklist  analysis  to 
identifying  hazard  and  operability  problems  stemming  from  system 
deviations 

Failure  Modes  and 
Effects  Analysis 
(FMEA) 

The  Coast  Guard  uses  mechanical  and  electrical  systems/equipment 
extensively,  making  FMEA  a  natural  choice  for  these  applications  when  a 
less  structured  what-if/checklist  analysis  may  be  inadequate.  (Although 
HAZOP  analysis  could  be  useful  for  analyzing  Coast  Guard  fluid  and 
thermal  systems,  FMEA  can  be  equally  effective  in  such  applications  for 
Coast  Guard  systems) 

Fault  Tree  Analysis/ 
Event  Tree  Analysis 
(FTA/ETA) 

Because  the  Coast  Guard  has  several  systems  with  built-in  redundancy 
and  multiple  levels  of  safeguards,  modeling  techniques  for  identifying 
complex  combinations  of  equipment  failures  and  human  errors  will  be 
important  for  some  situations.  FTA/ETA  are  the  most  widely  recognized 
and  universally  applicable  techniques  for  these  situations 

Human  Reliability 
Analysis  (HRA) 

The  Importance  of  human  errors  in  Coast  Guard  operations  and  the 
complexity  of  some  operations/procedures  make  HRA  potentially  useful 
for  special  situations  as  a  supplement  to  other  techniques  (especially 

WISE  analysis) 

Common  Cause 

Failure  Analysis 
(CCFA) 

When  a  situation  is  complex  enough  to  require  FTA/ETA,  the  potential  for 
common  cause  failures  cannot  be  overlooked.  CCFA  should  always  be 
applied  (in  some  level  of  detail)  with  FTA/ETA 
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The  IRA  Detailed  Hazard  Analysis 

■  Introduction 


■  Choosing  coarse  or  detailed  hazard 
analysis 


■  Selecting  a  detailed  hazard  analysis 
technique 

■  Estimating  resources  for  a  detailed 
hazard  analysis 


1  1  Choosing  Coarse  or  Detailed  Hazard  Analysis 

Although  coarse  hazard  analysis  will  meet  a  large  portion  of 
the  Coast  Guard's  hazard/risk  needs,  more  detailed  analysis  of 
hazards/risks  is  needed  in  some  circumstances.  Fundamentally, 
more  detailed  analysis  is  warranted  when; 

*  better  resolution  of  potential  mishap  scenarios  is  needed 
(e.g.,  more  specific  descriptions  of  causes  and  safeguards) 
and 

•  more  certainty  is  needed  in  the  risk  characterizations  for 
selected  mishap  scenarios  (e.g.,  there  was  a  low  level  of 
certainty  in  the  coarse  hazard  analysis  results). 
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The  IRA  Detailed  Hazard  Analysis 

■  Introduction 

■  Choosing  coarse  or  detailed  hazard 
analysis 


■  Selecting  a  detailed  hazard  analysis 
technique 


■  Estimating  resources  for  a  detailed 
hazard  analysis 


I  ij  Key  Factors  in  Selecting  a  Technique 

Motivation  for  analysis 

This  consideration  should  be  the  most  important  to  every  hazard/ 
risk  analyst.  Performing  a  hazard/risk  analysis  v/ithout  under¬ 
standing  its  motivation  and  v/ithout  having  a  well-defined  pur¬ 
pose  is  likely  to  waste  valuable  process/mission  improvement 
resources.  A  number  of  issues  can  shape  the  purpose  of  a  given 
analysis.  For  example,  what  is  the  impetus  for  performing  the 
analysis  in  the  first  place?  Is  the  analysis  being  done  as  part  of  a 
policy  for  performing  hazard/risk  analyses  of  new  processes/ 
products?  Are  insights  needed  to  make  risk  management  deci¬ 
sions  concerning  the  improvement  of  a  mature,  existing  process/ 
mission?  Or  is  the  analysis  being  done  to  satisfy  a  regulatory  or 
legal  requirement?  individuals  responsible  for  selecting  the  most 
appropriate  technique  and  assembling  the  necessary  human, 
technical,  and  physical  resources  must  be  provided  with  a  well- 
defined,  written  purpose  so  that  they  can  efficiently  execute  the 
analysis'  objective. 

Types  of  results  needed 

The  type  of  results  needed  is  important  for  actually  choosing  an 
analysis  technique.  Depending  on  the  motivation  for  the  hazard/ 
risk  analysis,  a  variety  of  results  could  be  needed  to  satisfy  the 
study's  charter.  Defining  the  specific  type  of  information  needed 
to  satisfy  the  objective  of  the  analysis  is  an  important  part  of 
selecting  the  most  appropriate  analysis  technique.  The  following 
are  five  categories  of  information  that  can  be  produced  from 
most  hazard/risk  analyses: 

•  List  of  potential  mishaps 

•  List  of  how  these  mishaps  occur  (i.e.,  failure  modes,  causes, 
sequence) 

•  List  of  alternatives  for  reducing  the  potential  for  these  mishaps 
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List  of  areas  needing  further  analysis  and/or  input  for  a 
quantitative  analysis  (which  addresses  our  "depth  of  analy¬ 
sis"  scoping  strategy) 

Prioritization  of  results 


Some  hazard/risk  analysis  techniques  can  be  used  solely  to 
identify  the  critical  problem  areas  associated  with  a  process  or 
mission.  If  that  is  the  only  purpose  of  the  analysis,  then  a  tech¬ 
nique  can  be  selected  that  will  provide  a  list  or  a  "screening"  of 
areas  of  the  process/mission  that  possess  the  potential  for  mis¬ 
haps. 


Nearly  all  of  the  analysis  techniques  can  provide  lists  of  how 
these  mishaps  occur  and  possible  risk  reduction  alternatives  (i.e., 
action  items).  Several  of  the  techniques  can  also  be  used  to 
prioritize  the  action  items  based  on  the  team's  perception  of  the 
level  of  risk  associated  with  the  situation  that  the  action  item 
addresses. 


Types  of  resources  available 

Two  primary  conditions  define  what  information  is  available  to 
the  analysis  team:  (1)  the  stage  of  life  the  process  or  product  is  in 
when  the  analysis  needs  to  be  performed  and  (2)  the  quality  and 
currentness  of  the  available  documentation. 

The  first  condition  is  generally  fixed  for  any  hazard/risk  analysis. 
The  process'  or  mission's  stage  of  life  establishes  the  practical 
limit  of  detailed  information  available  to  the  analysis  team.  For 
example,  if  a  hazard/risk  analysis  is  to  be  performed  on  the 
conceptual  design  of  a  process,  it  is  highly  unlikely  that  an  orga¬ 
nization  will  have  already  produced  piping  and  instrumenta¬ 
tion  diagrams  (P&IDs)  or  detailed  design  drawings  for  the 
proposed  process  or  product.  Thus,  if  the  analyst  must  choose 
between  HAZOP  analysis  and  what-if  analysis,  then  this 
"phase-of-life"  factor  would  dictate  a  less  detailed  analysis 
technique  (i.e.,  the  what-if  analysis). 

The  second  condition  deals  with  the  quality  and  currentness  of 
the  documentation  that  does  exist.  For  a  hazard/risk  analysis  of 
an  existing  process,  analysts  may  find  that  the  P&IDs  are  not  up  to 
date  or  do  not  exist  in  a  suitable  form.  Using  any  analysis  tech¬ 
nique  with  out-of-date  information  is  not  only  futile,  it  is  a  waste 
of  time  and  resources.  Thus,  if  all  other  factors  point  to  using  a 
specific  technique  for  the  proposed  analysis  that  requires  such 
information,  then  the  analysts  should  ask  management  to  have 
the  necessary,  up-to-date  Information  available. 
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Complexity  and  size  of  onalysis 

Some  techniques  can  get  bogged  down  when  used  to  analyze 
extremely  complicated  problems.  The  complexify  and  size  of  an 
analysis  are  functions  of: 

•  the  number  of  systems  being  analyzed, 

•  the  number  of  pieces  of  equipment  in  each  system, 

•  the  number  of  operating  steps,  and 

•  the  number  and  types  of  events  and  effects  being  analyzed. 

For  many  analysis  techniques,  considering  a  larger  number  of 
equipment  items  or  operating  steps  will  increase  the  time  and 
effort  needed  to  perform  a  study.  For  example,  using  the  FMEA 
technique  will  generally  take  5  times  more  effort  for  a  system 
containing  1 00  equipment  items  than  for  a  system  containing  20 
items.  Thus,  the  types  and  number  of  events  and  effects  being 
evaluated  are  proportional  to  the  effort  required  to  perform  a 
hazard/risk  analysis,  although  in  some  cases  it  may  not  be  a 
linear  relationship. 

Types  of  system/operations 

Many  techniques  can  be  used  for  almost  any  type  or  combination 
of  system  types.  However,  certain  techniques  are  better  suited  for 
particular  systems  than  others.  For  example,  the  FMEA  approach 
has  a  well-deservec  reputation  for  efficiently  analyzing  me¬ 
chanical,  electronic,  and  computer  systems,  whereas  the 
HAZOP  analysis  approach  may  not  work  as  well  for  these  types 
of  systems.  In  addition,  some  techniques  are  more  applicable 
for  analyzing  at  the  component  and  piece-part  level  instead  of 
analyzing  at  a  system  level. 

Types  of  loss  events  targeted 

Organizations  tend  to  use  more  systematic  techniques  for  those 
systems  that  they  believe  pose  higher  risk  (or,  at  least,  for 
situations  in  which  failures  are  expected  to  have  severe  conse¬ 
quences).  Thus,  the  greater  the  perceived  risk  of  the  system, 
the  more  important  it  is  to  use  techniques  that  minimize  the 
chance  of  missing  an  important  potential  mishap. 
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Selecting  a  Technique 

The  following  table  provides  a  summary  of  key  characteristics  of  the  Coast  Guard  detailed 
hazard  analysis  techniques. 


Analysis 

Type 


Types  of  Results 


Hazard 

Evaluation 

Technique 


What-if/ 

Checklist 

Analysis 


WISE 

Analysis 


HAZOP 

Analysis 


>  ®  Relative 

p  ^  Qualitative  Quantitative  Importance 

-i  ^  Mishap  RiskCharac-  of  Mishap  Recommend- 

o  JE  Descriptions  terizations  Contributors  ations 


Types  of 
Systems 

Level  of 
Effort/ 
Complexity 

Level  of 
Training  for 
Analysts  and 
Analysis 
Teams 

Ail 

Medium 

Low  to 
Medium 

Sequential 
operations  and 
procedures 

Medium  to 
High 

Medium 

Process 
systems, 
especially  fluid 
and  thermal 
systems 

Sequential 
operations  and 
procedures 

Medium  to 
High 

Medium 

All.  especially 
mechanical 
and  electrical 
systems 

Medium  to 
High 

Medium 

All 

High 

Medium  to 
High 

Alt 

High 

Medium  to 
High 

Sequential 
operations  and 
procedures 

High 

Medium  to 
High 

Alt 

High 

Medium  to 
High 
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The  matrix  below  will  help  in  determining  the  appropriate  detailed  hazard  analysis  tech¬ 
nique  to  use.  Choose  a  detailed  hazard  analysis  technique  that  best  fits  the  characteristics 
of  the  issue  to  be  analyzed. 
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Estimating  Resources 


The  IRA  Detailed  Hazard  Analysis 

B  Introduction 

B  Choosing  coarse  or  detailed  hazard 
analysis 

B  Selecting  a  detailed  hazard  analysis 
technique 


B  Estimating  resources  for  a  detailed 
hazard  analysis 


Estimating  Resources  for  a  Detailed  Hazard  Analysis 

Different  analysis  techniques  require  different  levels  of  time 
commitment  to  perform.  This  section  presents  the  estimated  time 
required  to  perform  the  various  stages  of  the  Coast  Guard 
detailed  hazard  analysis  techniques. 
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What-if/Cheeklist  Analysis 


Process  and  Location: 


Topic  Investigated:  Refuetim 


EquIpmenlTTask  Intentions: _ Fue!  System 


SUMMARY  OP  WHAT^F/CHECKUST  REVIEW 
IVHEC~378  _ 


What  If...? 


1.  What  if  the  diesel 
tank  is  overfilled? 


High  or 
uncontrolled 
flow  rates  from 
fueling  source 


Consequences  |  Safeguards 


Overflow  tank 


Spin  of  diesel 
fuel 


Tank  level 
indicators 

Fuel  vents  to 
atmosphere 


6/22f97 
Page  1/15 


Action  Items 


Consider  installing  fasUacting 
valves  in  the  fuel  supply  lines 


Scope 

Preparation 

Evaluation 

Documentation 

Simple/small  system 

6  to  12  hours 

6  to  12  hours 

4  to  8  days 

Complex/Iarge  process 

1  to  3  days 

4  to  7  days 

1  to  3  weeks 
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Hazard  and  Operability  (HAZOP)  Analysis 


HAZOP  Of  Rtfualing  Systtm 


Sactlon:  1,0  FudHost _ 

Drawing  Numbar  USCG34-4211 
Ravtalon  Numbar  2 _ 


Itam  Daviation 


1.1  High 
pressure 


Consaquancas 


Safaguards 


Biodcage  in  the  fuel  Rupture  of  the  fuel  Overflow  valves 


line 

Flow  valve  dosed 

Blocked  sounding 
tube  and  vents 


hose  and  fittings 
Potentiat  ignition  of 
spilled  fuel 


Watchstander 


1.2  Misdireded  Flow  control  valves  Rupture  of  fuel  hose  Overflow  valves 
flow  misaligned  and  fittings 

Potential  ignition  of  Watchstander 
spilled  fuel 
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Recommendations 


Consider  improving 
procedures  used  to  align 
flow  valves 


Consider  improving 
procedures  used  to  align 
flow  valves 


Scope 

Preparation 

Evaluation 

Documentation 

Simpie/smail  system 

8  to  12  hours 

1  to  3  days 

2  to  6  days 

Complex/large  process 

2  to  4  days 

1  to  3  weeks 

2  to  6  weeks 
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Failure  Modes  and  Effects  Analysis  (FMEA) 


FMEA  Of  Fuel  Oil  Supply  for  Onboard  Incinerator 


Equipment  Fud  OU  Supply  Line  A-^28 
Drawing  Number  USCGS99-71340 
Revision  Number  2 


Item  Failure  Modes 
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Safeguards 


1  -1  Plugs  Low  fuel  oil  flow  Supply  tine  fitter/strainer  Consider  preventive  maintenance  on  the 

supply  line,  including  the  filter  and  strainer 


1.2  External  leak  Release  of  fuel  oil  Periodic  Inspection  of 

fuel  oil  system 


Potential  fire  hazard  High  pressure  portion  of 
fuel  oil  piping  Is  short 
run  from  pump 
discharge  to  injectors 


Scope 

Preparation 

Evaluation 

Documentation 

Simpie/small  system 

2  to  6  hours 

1  to  3  days 

1  to  3  days 

Complex/large  process 

1  to  3  days 

1  to  3  weeks 

2  to  4  weeks 
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Fault  Tree  Analysis  (FTA) 


Rudder  hydraulic 
system  fails 


Rudder  hydraulic 
system  A  fails 


Rudder  hydraulic 
system  6  fails 


Gyropilot 
steering 
system  A 
fails 


Hydraulic 
system  A 
fails 


Motor  for 
hydraulic 
system  A 
fails 


Gyropilot 
steering 
system  B 
fails 


Hydraulic 
system  B 
fails 


Motor  for 
hydraulic 
system  B 
fails 


Scope 

Preparation 

Model 

Construction 

Qualitative 

Evaluation 

Documentation 

Simple/small  system 

1  to  3  days 

3  to  6  days 

2  to  4  days 

3  to  5  days 

Compiex/large  process 

4  to  6  days 

2  to  3  weeks 

1  to  4  weeks 

3  to  5  weeks 
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Event  Tree  Analysis  (ETA) 


Initiating 

Event 


Release  Avoids  Spray  Shield  Release  Avoids  Accident  Sequence 
Immediate  Ignition  Contains  Release  Delayed  Ignition  Description 


Contained  spill 


Fuel  Oil 
Vapor  Spray 


Success 


Failure 


Small  or  large 
uncontained  spilt 


Small  or  targe  fire 
depending  on  the 
release  rate 

Small  or  large  fire 
depending  on  the 
release  rate 


Scope 

Preparation 

Model 

Construction 

Qualitative 

Evaluation 

Documentation 

Simple/small  system 

1  to  2  days 

1  to  3  days 

1  to  2  days 

3  to  5  days 

Complex/large  process 

4  to  6  days 

1  to  2  weeks 

1  to  2  weeks 

3  to  5  weeks 
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HRA  Event  Tree  for  the  Medical  Team 
Response  to  an  Emergency 


\Communication  channels  fail  off 
Failure 

Medical  team  falls  to  realize  emergency 


Medical  team  fails  to  bring  appropriate  equipment 
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Common  Cause  Failure  Analysis  (CCFA) 


y^Common  cause\^ 
failures  of  both 
hydraulic  system  A  and 
system  B 


Independent  failure  of 
both  hydraulic  system 
A  and  system  B 


Failure  of  hydraulic 

Failure  of  hydraulic 

system  A 

system  B 

Scope 

Preparation* 

Evaluation* 

Documentation* 

Simple/small  system 

4  to  8  hours 

4  to  8  hours 

1  to  2  days 

Complex/large  process 

1  to  3  days 

1  to  3  days 

2  to  5  days 
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Inlroduetion 


The  IRA  Risk-based  Safety  Survey 

■  Introduction 

■  Performing  a  risk-based  safety  survey 

■  Maintaining  the  risk-based  safety  survey 
process 

■  Information  exchange  betv/een  the  risk-based 
safety  survey  and  the  coarse  hazard  analysis 

■  Using  the  risk-based  safety  survey  to  update 
the  coarse  hazard  analysis 

■  Making  decisions  using  the  IRA  risk-based 
safety  survey 
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Introduction 


The  IRA  Risk-based  Safety  Survey 


■  Introduction 


■  Performing  a  risk-based  safety  survey 

■  Maintaining  the  risk-based  safety  survey 
process 

■  Information  exchange  betv/een  the  risk-based 
safety  survey  and  the  coarse  hazard  analysis 

■  Using  the  risk-based  safety  survey  to  update 
the  coarse  hazard  analysis 

■  Making  decisions  using  the  IRA  risk-based 
safety  survey 

Introduction 

The  IRA  risk-based  safety  survey  process 


Risk-based  safety  sun/eys  help  manage  risk  by  ensuring  that  the 
safeguards  designed  to  control  the  risk  of  potential  mishaps  are 
being  effectively  implemented.  The  risk-based  safety  survey 
process  performs  much  the  same  function  as  typical  field  sur¬ 
veys  historically  performed  by  the  Coast  Guard  with  the  follow¬ 
ing  notable  exceptions: 

•  Better  focus  on  the  most  significant  risks 

•  More  objective  prioritization  of  findings 

•  More  efficient  use  of  assessment  resources 

•  Investigation  of  root  causes  of  findings 

•  Characterization  of  safeguard  dependability 

•  Improvement  of  Coast  Guard  standards  and  requirements 
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The  IRA  Risk-based  Safety  Survey 

■  Introduction 


■  Performing  a  risk-based  safety  survey 


■  Maintaining  the  risk-based  safety  survey 
process 

■  Information  exchange  between  the  risk-based 
safety  survey  and  the  coarse  hazard  analysis 

■  Using  the  risk-based  safety  survey  to  update 
the  coarse  hazard  analysis 

■  Making  decisions  using  the  IRA  risk-based 
safety  survey 


Ij  Performing  a  Risk-based  Safety  Survey 

Risk-based  safety  survey  —  a  survey  that  (1)  proportionately 
applies  field  verification  resources  to  evaluation  points  that  most 
effectively  assess  the  status  of  the  most  important  safeguards  (i.e., 
higher  risk  issues  receive  more  resources)  and  (2)  facilitates  timely 
correction  of  significant  deficiencies  and  their  underlying  root 
causes. 

Performing  a  risk-based  safety  survey  involves  all  of  the  activi¬ 
ties  necessary  for  assessing  the  condition  of  a  unit  with  respect 
to  a  set  of  Coast  Guard  requirements  (as  well  as  other  defined 
safeguards  important  for  risk  control)  and  analyzing/docu¬ 
menting  the  results. 
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Overview  of  the  Steps  for  Performing  a  Risk-based 
Safety  Survey 

This  section  outlines  the  steps  for  performing  a  risk-based  safety 
survey. 

1.  Plan  a  safety  survey 

Planning  a  survey  involves: 

•  Identifying  the  scope  of  the  survey 

•  Preparing  for  the  survey 

2.  Assess  the  requirements/evaluation  points  and 
record  findings 

This  task  is  the  actual  survey  of  the  unit.  Survey  team  members 
canvass  the  unit,  reviewing  evaluation  points.  The  survey  in¬ 
cludes  equipment  inspections,  personnel  interviews,  and  docu¬ 
mentation  reviews. 

3.  Identify  root  causes  of  findings 

Determining  the  underlying  causes  of  a  deficiency  and  correcting 
them  helps  to  ensure  that  the  deficiency  does  not  occur  again 
and  prevents  the  underlying  causes  from  contributing  to  other 
types  of  deficiencies  and  mishaps. 
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Root  cause  analysis  should  be  performed  at  some  level  of  detail 
for  each  finding.  For  some  findings  the  simple  question  "v/hy?"  is 
enough  to  determine  a  root  cause.  Other  findings  may  require 
more  rigor  (e.g.,  5  Whys  technique.  Root  Cause  Map"*  tech¬ 
nique)  to  find  the  root  causes.  The  level  of  detail  and  the  number 
of  findings  investigated  with  root  cause  analysis  is  left  to  the 
discretion  of  the  survey  team. 

4.  Determine  the  risk  impact  of  findings 

This  step  of  the  process  involves  assigning  a  relative  risk  weight¬ 
ing  to  each  finding  that  characterizes  the  finding's  potential 
impact  on  unit  risk.  Risk  impact  is  the  foundation  for  prioritiz¬ 
ing  the  findings  for  resolution  and  other  tasks  in  the  safety 
survey  process. 

5.  Document  the  results  and  resolve  findings 

The  safety  survey  visit  is  concluded  with  an  outbrief  highlight¬ 
ing  the  results  of  the  survey.  The  results  are  also  documented  in 
a  safety  survey  report  that  is  submitted  to  the  unit  command, 
and  the  findings  are  documented  in  a  findings  database. 
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Step  1  Plan  a  Safety  Survey 

Planning  a  safety  survey  is  very  important  to  the  success  of  the 
survey.  Preparation  involves  coordinating  the  survey  activities  with 
the  unit  command,  preparing  the  survey  team  for  the  survey, 
and  performing  the  survey  inbrief. 
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Step  1  JR 


Identify  the  scope  of  the  survey 


Identifying  the  scope  of  the  safety  survey  involves  determining 
which  group  of  evaluation  points  will  be  assessed.  A  survey  will 
include  all  evaluation  points  at  some  level  of  risk  significance 
(e.g.,  all  high  and  medium  risk  evaluation  points)  as  well  as  other 
lower  risk  evaluation  points  of  interest  to  the  survey  sponsor/host. 


Example 

A  survey  has  been  planned  to  review  only  the  issues  with 
high  risk  significance;  however,  the  CO  requests  that 
eyewash  stations  be  checked  for  proper  location  (histori¬ 
cally  a  lower  risk  significance  item)  due  to  some  confusion 
with  interpreting  a  requirement.  Also,  new  electrical  equip¬ 
ment  in  the  galley  will  be  checked  for  proper  grounding 
due  to  a  recent  mishap  at  a  similar  unit. 

The  following  table  is  an  example  of  a  scope  for  a  safety  sur¬ 
vey.  The  justification  and  comments  column  explains  why  addi¬ 
tional  evaluation  points  were  added  for  this  survey.  Originally, 
this  survey  was  only  to  review  issues  with  high  risk  significance. 


Evaluation  Area 

Evaluation  Points* 

Justification  and 
Comments 

Occupational  Medical 
Monitoring  Program 

A1,  A2,  A3,  AS,  A6,  AIO,  All,  A13 

Checking  these  items  due 
to  recent  change  of 
command 

Heat  Stress  Program 

B1.  B2.  B5,  B6.  B8.  B9,  BIO 

Hearing  Protection 

Cl.  C2.  C3.  C4.  C5.  C6,  C7.  C8.  C9. 
CIO,  C11.C12 

Eye  Protection 

D1,  D5,  D6,  07,  08,  09 

Respiratory  Protection 

E1.E2,  E6.  E9.  E10,  E11,E12 

Checking  these  Items  due 
to  mishaps  listed  in  recent 
message  traffic 

Asbestos 

F1.  F2.  F4.  F5,  F6.  F7.  F8,  F9.  F15 

Respiratory  Protection 

G1,  G2,  G6,  G7.  G9.  GIO,  G11.  G12 

Food  Preparation  Spaces  i 

HI .  H2.  H3.  H4,  H5.  H6.  H7.  H10. 
Hll,  H13,  H14.  H15.  H17.  H20,  H22, 
H23.  H24,  H28 

Checking  these  items  due 
to  request  from  Unit  CO 

Safety  Program 
Administration 

J1.  J2,  J3.  J4.  J5,  J6.  J7,  J8,  J9.  J10, 
J11,  J12.J13.  J14.  J15.  J16 

Electrical  Safety 

K1.  K4,  K5,  K6,  K7,  K9,  K10.  K11, 
K12.  K13,  K16,  K17,  K19,  K20.  K22, 
K33.  K35.  K38.  K39,  K41.  K42,  K44 

*This  survey  is  of  the  evaluation  points  with  high  risk  significance  and  additional 
evaluation  points  as  specified  in  the  justification  and  comments 
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Step  l.B 


Prepare  for  the  survey 

There  are  several  preparatory  activities  that  are  necessary  for  a 
successful  survey.  These  activities  are  as  follows: 


Review  informotion  related  to  the  survey  scope 

The  survey  team  members  should  be  familiar  with  current  and 
historical  information  related  to  the  survey  they  are  planning 
to  perform.  Knowledge  of  this  information  will  improve  the 
effectiveness  and  efficiency  of  the  survey.  This  information 
includes: 

•  the  safety  survey  checklist  that  will  be  used  during  the  survey, 

•  past  mishaps  and  findings  for  the  unit  class  and  unit  being 
surveyed, 

•  the  coarse  hazard  analysis  information  for  the  specific  unit 
class  (high  level  review),  and 

•  applicable  requirements  that  form  the  basis  for  the  evalua¬ 
tion  points  within  the  scope  of  the  survey. 

Coordinaie  the  survey  schedule  with  the  unit 

Work  with  the  unit  command  to  develop  a  preliminary  schedule 
for  the  inbrief,  the  actual  survey,  and  the  outbrief. 

Arrange  for  appropriate  unit  personnel  to  support  the  survey 

The  survey  team  should  identify  the  unit  personnel  required  for 
the  survey  as  well  as  the  length  of  time  the  unit  personnel  will 
be  required.  The  use  of  these  individuals'  time  should  be  coordi¬ 
nated  with  the  unit  command. 


Assemble  a  survey  team  with  experience  that  matches  the  content 
oi  the  survey  to  be  periormed 

To  be  most  effective  and  efficient,  the  survey  team  members 
should  be  experts  in  the  subject  areas  reviewed  during  the 
survey  (or  at  least  involve  such  experts  in  their  survey). 

Plan  the  survey  inbrief 

The  purpose  of  the  inbrief  is  to  kick  off  the  safety  survey  with 
unit  management  by  introducing  the  participants  (survey  team 
and  unit  personnel),  briefly  discussing  the  activities  surrounding 
the  safety  survey  process,  and  providing  a  proposed  schedule 
of  activities. 
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Step  2 


Assess  the  Requirements/Evaluation  Points  and  Record 
Findings 


This  activity  involves  actual  field  assessment  of  evaluation  points 
(or  in  some  cases  the  requirements  themselves).  These  assess¬ 
ments  typically  include: 


•  Equipment  inspections 

•  Personnel  interviev/s 

•  Documentation  reviews 


Because  every  specific  implementation  of  each  requirement/ 
evaluation  point  cannot  realistically  be  observed  during  these 
surveys,  survey  teams  must  select  a  few  representative  instances 
to  evaluate  (I.e.,  sampling).  The  risk  significance  of  an  evaluation 
point  obviously  influences  how  many  and  what  types  of  field 
checks  a  survey  team  chooses  to  perform  (e.g.,  1 00%  of  a  certain 
type  of  critical  component  might  be  assessed,  while  only  10%  of  a 
less  critical  type  of  component  might  be  assessed). 


Note: 

The  actual  choices  of  sampling  plans  (i.e.,  which  specific 
equipment  to  check,  people  to  interview,  and  documents  to 
review)  are  left  to  the  discretion  of  survey  teams,  who  use  the 
risk  significance  of  evaluation  points,  as  well  as  their  own 
experience,  as  a  guide. 
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Deficiencies  identified  during  the  safety  survey  are  noted  as 
findings.  Typical  information  to  record  concerning  a  finding 
includes: 

•  the  associated  requirement/evaluation  point, 

•  whether  the  deficiency  appears  to  be  an  isolated  case  or  not, 

•  contributing  causes  of  the  deficiency,  and 

•  the  location  of  the  deficiency  at  the  unit. 
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Step  3. 


Identify  Root  Causes  of  Findings 


Root  causes  —  the  most  basic  causes  of  an  event  that  (1)  can  be 
reasonably  identified  and  (2)  management  has  control/influence 
to  fix. 

Root  cause  analysis  investigates  the  underlying  problems  that 
allov/ed  a  deficiency  to  occur  and  to  continue  to  exist  until  the 
survey  was  performed.  The  analysis  helps  ensure  that  a  specific 
deficiency  does  not  occur  again.  It  also  helps  ensure  that  the 
underlying  problems  do  not  contribute  to  various  other  types  of 
deficiencies  and/or  mishaps  (perhaps  seemingly  unrelated  to  the 
current  situation). 
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Through  a  systematic  process,  survey  team  members  try  to 
identify  management  system  weaknesses  that  contributed  to 
deficiencies  so  that  those  weaknesses  can  be  corrected  (not  to 
assign  blame  to  managers).  Management  system  weaknesses 
are  the  focus  because  vulnerabilities  that  allow  equipment  to 
fail  and  error-likely  situations  that  cause  human  mistakes  are 
generally  traced  to  fundamental  management  system  weak¬ 
nesses. 


Note: 

Roof  cause  analysis  goes  beyond  understanding  the  scenario 
of  events  that  led  to  the  deficiency.  More  investigation  of  the 
underlying  problems  is  required  to  find  and  correct  the  under¬ 
lying  management  problems  that  will  contribute  to  future 
deficiencies  if  not  corrected. 


It  is  preferable  that  root  cause  analysis  is  performed  on  all 
of  the  findings  at  some  level  of  detail.  However,  survey 
teams  may  decide  to  only  perform  an  analysis  on  selected 
findings  (e.g.,  the  findings  that  by  themselves  represent  a 
large  increase  in  risk  or  those  thought  to  indicate  broadly 
systemic  problems). 

There  are  several  techniques  available  to  perform  a  root  cause 
analysis.  Three  of  these  techniques  are  (1)  engineering/expert 
judgment,  (2)  the  5  Whys  technique,  and  (3)  the  JBF  Associ¬ 
ates,  Inc.  (JBFA)  Root  Cause  Map  technique. 
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Selected  Techniques  for 
Finding  Root  Causes 

■  Engineering/expert  judgment 

■  5  Whys  technique 

■  JBFA  Root  Cause  Map  technique 


Selecting  Techniques  for  Finding  Root  Causes 

Engineering/expert  jndgmeiit 

■  Most  common  approach  in  use  today 

•  Dependent  on  analyst's/team's  experience,  background,  and 
understanding  of  root  causes 

•  Not  auditable  for  thoroughness 

•  Not  inherently  consistent  or  reproducible 

5  Whys  technique 

The  5  Whys  technique  is  a  brainstorming-type  technique  for 
identifying  root  causes  of  problems  by  questioning  why  events 
occurred  or  conditions  existed 

Root  Comse  Map  technique 

•  Originally  derived  from  the  Department  of  Energy's  (DOE's) 
management  oversight  and  risk  tree  (MORT)  for  DOE's 
Savannah  River  Laboratory 

•  Structures  the  reasoning  process  for  identifying  root  causes 

•  Identifies  detailed  root  causes  for  each  major  root  cause 
category 

■  Promotes  consistency  across  all  root  cause  investigations 

•  Supports  trending  of  root  causes 
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The  5  Whys 


5  Whys  Technique 

The  5  Whys  technique  is  a  brainstorming-type  technique  for 

identifying  root  causes  of  problems  by  questioning  why  events 

occurred  or  conditions  existed 

Using  the  5  Whys 

•  Select  one  event  associated  with  a  problem  situation 

•  Ask  why  this  event  occurred  (i.e.,  the  most  direct  cause  of  the 
event) 

•  Solicit  answer(s)  to  this  question  (the  answer  may  identify  more 
than  one  subevent  or  condition  as  the  cause) 

•  For  each  of  these  subevents  or  causes,  ask  why  it  occurred 

•  Solicit  answers  to  these  why  questions  and  repeat  the  process 
through  at  least  three  more  iterations  of  why  questions 

•  Repeat  the  process  for  the  other  events  associated  with  the 
problem  situation 

1  Conelnsions  abont  5  Whys 

•  Resulting  subevents/conditions  should  be  at  or  near  the  root 

!?]  causes  of  the  event 

.y  •  More  or  less  detailed  evaluation  may  be  necessary  for  some 

cases  to  reach  management  system  root  causes 

•  Judgment  and  experience  are  key  factors  in  selecting  the  right 
level  of  evaluation  and  completeness 

•  This  technique  can  be  time  consuming  compared  to  other 
techniques  that  don't  require  brainstorming 

•  The  results  are  not  inherently  reproducible/consistent,  but  the 
application  is  auditable 


8-16 


Coast  Guard  IRA  Manual 


Risk-based  Safety  Surveys 


Performing  the  Surve 


8-17 


Risk-based  Safety  Surveys 


PeHormiii^h|^nrv||^ 


JBFA  Root  Cause  Map 


Observations  About  the  Structure  of  the  Map 

•  Items  most  closely  associated  with  hardware/engineered 
systems  appear  toward  the  left  side  of  the  map,  while  items 
most  closely  associated  with  personnel  appear  toward  the 
right  side  of  the  map 

•  Moving  from  left  to  right  on  the  map  parallels  the  progres¬ 
sion  of  system  development  (i.e.,  beginning  with  equipment 
design  and  progressing  through  operations  management 
and  personal  performance) 

•  Some  segments  of  the  map  are  not  resolved  to  "root  causes" 
to  maintain  consistency  in  the  level  of  detail  with  other 
segments  of  the  map  (further  expansion  is  certainly  accept¬ 
able) 

•  Different  arrangement  of  the  map  would  not  change  the 
fundamental  use  of  the  map  as  a  graphical  checklist  to  help 
provide  a  comprehensive  search  for  root  causes 

•  Various  organizations  may  need  to  slightly  modify  the  map 
structure/terminology  to  mesh  with  their  organizational  culture 
and  management  systems 
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Structure  of  the  Root  Cause  Map 


Using  the  Map 

•  Select  a  finding 

•  Work  through  the  mop  for  each  finding 

•  Step  down  root  path(s),  noting 

-  primary  difficulty  source  (equipment,  personnel,  other), 

-  problem  category, 

-  major  root  cause  category, 

-  near  root  cause,  and 

-  root  cause. 

•  Record  results  on  forms  at  each  step 

•  Perform  5  Whys  if  root  causes  are  not  deep  enough 

•  Use  root  causes  for 

-  generating  recommendations  and 

-  trending. 


Example 


Finding 

Paths  Through  the 
Root  Cause  Map 

Recommendations 

No  defined  guidance  for  ensuring 
personnel  in  charge  of  the  respirator 
program  receive  training  in 
administering  the  program 

Background:  Respirator  administration 
was  recently  turned  over  to  a  junior 
person.  This  person  performs  the 
actual  duties  of  the  respirator  program, 
but  has  not  been  fully  trained  on 
documenting  the  program. 

Supervisory  personnel  are  also  not 
fully  cognizant  of  the  program's 
administrative  requirements.  In 
addition,  a  heavy  work  load 
environment  on  board  detracts  from 
the  respirator  program  receiving  more 
attention. 

•  Personnel  difficulty 

•  Operations  problem 

•  Training 

•  Training  LTA 

•  Program  design  LTA 

•  Personnel  difficulty 

•  Operations  problem 

•  Immediate  supervision 

•  Supervision  during  work 

•  Supervision  LTA 

•  Human  factors 
engineering 

•  Workload 

•  Unrealistic  monitoring 
requirements 

•  Promulgate  written  Coast 
Guard  instructions 
outlining  the  training 
necessary  to  administer  a 
respirator  program 
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2.  Assess  the 
reqs/evaiuation 
points  and 
record  findings 


3.  identify  root 
causes  of 
findings 


I 


5.  Document  the 
results  and 
resolve  findings 


4.  Determine  the 
risk  impact 
of  findings 


A.  Identify 
deviations  affected 
by  the  finding 


B.  Estimate 
scores  to  reflect 
the  deficiency 


C.  Subtract  the 
baseline  RIN  from 
the  revised  RIN 


D.  Add  the 
changes  in  RIN 
and  determine  a 
risk  impact 


E.  Prioritize 
findings  by  risk 
Impact  category 


F.  Prioritize 
findings  within  a 
risk  impact 
category 


Step  4 


Determine  the  Risk  Impact  of  Findings 


Risk  impact  of  a  finding  —  the  relative  risk  weighting  of  a 
finding  representing  the  potential  increase  in  unit  risk  because  of 
the  finding. 


The  risk  impact  of  safety  survey  findings  provides  a  foundation 
for: 

•  Prioritizing  findings  for  resolution 

•  Planning  future  surveys 

•  Trending  the  effectiveness  of  requirements 

•  Updating  the  coarse  hazard  analysis 

•  Updating  the  safety  survey  process 
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Step  4il  Identify  the  coarse  hazard  analysis  deviation(s) 
affected  by  the  finding 


Rnding 


No  record  of 
preventive 
maintenance  of 
lifting/lowering 
system 


No  sewage  CHT 
operating 
instnjctioru 
posted  in  the 
sewage  space 


Evaluation 

Point 

(Checklist 

Item) 


N014 


Affected  Deviation 
(Operation/Evolution 
Function 
Deviation) 


Small  boat 
launch/rccovery: 
From  vessel 

Operating  lifting 
equipment 
Incorrect  load 
position,  direction, 
speed 


Small  boat  launch/ 
recovery: 

From  vessel 

Operating  lifting 
equipment 
Loss  of  support 


Risk  Impact  of  FindinQ 


KX)1 


Not  operation/ 
evolution  specific 

Providing  sewage 
services 

Bioiogicai/hazards 

exposure 


Not  operation/ 
evolution  specific 

Providing  sewage 

sen/ices 

Fire/explosion 


Risk  Impact  of  Finding 


Batalina 

Frequency  | 
Scorta 

Am  C  Dl 


RIN 


Revised 

Frequency 

Scorta 

Revised 

RIN 

Change 
In  RIN 

Risk 

Impact 

m 

1 

1 

1 

1 

1 

1 

1 

1 

1 

■ 

1 

1 

1 

1 

1 

1 

1 

■ 

1 

Each  safety  survey  finding  is  associated  with  a  safety  survey 
evaluation  point  (checklist  item)  and/or  requirement.  Each 
evaluation  point  or  requirement  has  been  correlated  to  one  or 
more  deviations  in  the  coarse  hazard  analysis.  By  using  the 
evaluation  point/requirement-to-deviation  relationship,  a 
finding  con  be  correlated  to  a  deviation(s). 
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Step  4.B  Estimate  revised  frequency  scores  for  each  deviation  to 
reflect  the  existence  of  the  deficiency  and  calculate 
revised  RINs 


No  record  of 
preventive 
maintenance  of 
lifling/lowenng 
system 


Evaluation  Affected  Deviation 
Point  (Operation/Evolution 

(Checklist  function 

Item)  Deviation) 


Small  boat 
launch/recovery: 
From  vessel 
Operating  Siting 
equipment 
Incorrect  load 
positioa  direction, 
speed 


Small  boat  launch/ 
recovery: 

Prom  vessel 
Operating  Siting 
equipment 
Loss  of  support 


Baseline 

Frequency 

Scores 


Ravisad 

Fraquanqf 

Scoraa 

RIN 

m 

11 

Ravisad 

RIN 

II 

Risk 

Impact 

Risk  Impact  of  Finding 


No  sewage  CHT 
operating 
instructions 
posted  in  the 
sewage  space 


Not  operation/ 
evolution  specific 
Providing  sewage 
services 

Biologicat/hazards 

exposure 


Not  operation/ 
evolution  specific 
Providing  sewage 
services 
Fire/explosion 


Risk  Impact  of  Finding 


For  each  deviation,  estimate  nev/  frequency  scores  that  charac¬ 
terize  current  risks,  given  the  existence  of  the  deficiency,  it  may 
be  necessary  to  review  the  coarse  hazard  analysis  tables  to 
understand  which  safeguards  were  assumed  to  be  effective  in 
controlling  risk.  Calculate  a  revised  risk  index  number  (RIN) 
using  the  new  frequency  scores. 


IMPORTANT! 


Care  should  be  taken  to  ensure  that  the  safeguard  as¬ 
sociated  with  the  finding  influenced  the  risk  charac¬ 
terization  in  the  coarse  hazard  analysis.  The  safeguard 
may  have  been  known  to  be  unreliable  and  therefore 
significant  in  the  coarse  hazard  analysis.  The  frequency 
scores  would  already  reflect  the  absence  of  this  safe¬ 
guard  and  would  not  be  affected  by  the  finding. 
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Note: 

This  equation  is  derived  assuming  an  average  Class  A/B 
mishap  is  equivalent  to  $300,000,  an  average  Class  C 
mishap  is  equivalent  to  $30,000,  and  an  average  Class  D 
mishap  is  equivalent  to  $3,000. 


Calculate  the  RIN  for  each  deviation  by  using  the  following 
equation: 

RIN  =  (0.3  *  10(^1  +  0.03  *  10'^*=!  +  0.003  *  lOi^*^  )/l  0,000 
Where: 

FsA/B  =  the  frequency  score  for  Class  A/B  mishaps 
FsC  =  the  frequency  score  for  Class  C  mishaps 
FsD  =  the  frequency  score  for  Class  D  mishaps 

For  a  complete  derivation  of  the  RIN,  see  Section  5,  Step  3.B.2. 
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Step  4.C  Subtract  the  baseline  BIN  from  the  revised  RIN 

The  change  in  RIN  due  to  the  finding  provides  a  relative  measure 
of  the  risk  impact  associated  with  the  finding. 
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Step  4.D  Add  the  changes  in  RIN  of  all  deviations  associated 
with  the  finding  and  determine  a  risk  impact  for  the 
finding 

Use  the  change  in  RIN  and  the  table  below  to  assign  a  risk 
impact  to  each  finding. 


Risk  Impact 

Definition 

Criteria* 

High 

Significant  increase  in  overall 
vessel  risk 

Increase  of  RIN  by  more  than  20 

Medium 

Moderate  increase  in  overall 
vessel  risk 

Increase  of  RIN  by  more  than  1 , 
but  less  than  20 

Low 

Minor  increase  in  overall  vessel 
risk 

Increase  of  RIN  by  more  than  0.01 , 
but  less  than  1 

Very  Low 

Undesirable  condition,  but  no 
significant  change  in  vessel  risk 

Increase  of  RIN  by  less  than  0.01 

*Criteria  based  on  the  cumulative  increase  in  risk  index  numbers  for  the  relevant  hazard  analysis 
deviations 


No  record  of 
preventivo 
maintenartca  of 
lifting/towering 
system 


No  sewage  CHT 
operating 
instnxtions 
posted  in  the 
sewage  space 


Evaluation 

Point 

(Chackliat 

Itam) 

Affactad  Davlation 
(Oporation/Evolution  . 
Function 
Ooviation) 

N014 

Small  boat 
launch/racovary: 

From  vaaaol 

OpenSng  SKng 
equipment 

Incorract  toad 
position,  diraction. 
spaad 

Small  boat  launch/ 
racovary: 

From  vaaaal 

Operating  iHting 
equipment 

Loss  of  support 

I  Risk  Impact  of  Finding 

1001 

Not  oparatlonf 
avolution  spaciflc 
Providing  sewege 
services 

Biological/hazards 

axposura 

Not  oparatlon/ 
avolution  spaciflc 
Providing  sewege 
services 

Fira/axplosion 

Baseline 

Frequency 

Scores 


3  3  0.0063 


Ravlaad 

RIN 

Chang# 
In  RIN 

0.63 

0.621 

0.09 

0.0837 

0  70  I  Low 


5  0.09  0.054 


Risk  Impact  of  Finding 


0  59  Low 
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Step  4.E 


Prioritize  findings  by  risk  impact  category 


One  of  the  key  results  of  making  risk-based  judgments  is  priori¬ 
tizing  the  findings  for  resolution.  Establishing  a  resolution 
order  helps  to  efficiently  and  effectively  use  unit  resources.  The 
findings  with  higher  risk  impact  are  resolved  first  to  ensure  unit 
risk  is  managed  appropriately.  (Occasionally,  findings  with 
lower  risk  impact  will  require  such  a  low  level  of  resources  to 
resolve  that  it  makes  sense  to  resolve  them  with  the  higher  risk 
impact  findings.) 


Finding 

Risk  Impact  Category 

Gasoline  was  stored  in  a  white  plastic  &galion  bucket  and 
was  slowly  leaking  on  the  deck 

High 

Water  was  leaking  into  the  CIWS  control  room  and  was 
pooling  on  the  floor 

High 

Crewmen  in  the  paint  locker  were  not  wearing  respirators 
and  were  not  aware  of  the  need  to  wear  respirators 

High 

Walk-in  refrigerator  was  not  maintaining  the  appropriate 
temperature 

Medium 

No  expiration  date  was  listed  on  personal  eyewash  stations 
in  the  EM  shop 

Low 

Top  protective  cover  for  the  drill  press  in  the  maintenance 
sifop  was  missing 

Low 

Battle  lantern  in  the  wardroom  was  not  working 

Very  Low 

Forward  sewage  did  not  have  a  sign  posted  saying:  "No 
eating,  drinking,  or  smoking  in  this  space" 

Very  Low 

Note: 

The  order  of  resolving  findings  is  ultimately  left  to  the  unit 
commands. 


The  prioritization  of  findings  is  designed  to  be  a  tool  to  help 
unit  commands  manage  resources.  Using  the  risk  significance 
categories,  the  survey  team  suggests  a  resolution  order. 
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Step  4.F  Prioritize  the  findings  within  a  risk  impact  category 


This  step  is  less  critical  than  the  previous  step;  however,  it  may 
be  very  worthwhile  for  a  unit  with  a  large  number  of  findings 
in  a  single  category.  Typical  criteria  for  prioritizing  within  a 
category  include: 


•  Cost  to  resolve  the  finding 

•  Length  of  time  required  to  resolve  the  finding 

•  Political  implications  of  the  finding 

•  Perceived  risk  of  the  finding  relative  to  other  findings  in  the 
category 
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resolve  findings 


Performing  the  Surve 


C.  Work  with  units 
to  assign 
responsibilities/ 
resolution  dates 


D.  Track  resolution 
of  findings 


Step  5.  Document  the  Results  and  Resolve  Findings 

The  results  of  the  safety  survey  are  presented  in  an  outbrief 
and  documented  i.i  a  brief  safety  survey  report.  The  findings 
are  recorded  in  a  findings  database  (e.g..  Hazard  Condition 
Notice  [HCN]  database). 
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Step  5  Jl 


Perform  an  outbrief 


The  survey  visit  should  be  concluded  with  an  outbrief.  The 
purpose  of  an  outbrief  is  to  give  the  unit  command  immediate 
feedback  from  the  survey  and  to  discuss  the  remaining  steps  of 
the  safety  survey  process.  As  with  the  inbrief,  the  Coast  Guard 
is  very  experienced  at  performing  outbriefs  and,  therefore,  the 
method  for  performing  an  outbrief  will  be  left  to  the  discretion 
of  individual  survey  teams.  However,  consider  including  these 
topics: 

•  The  survey  team's  impression  of  the  severity  of  the  findings 
(general  state  of  the  unit) 

•  A  preliminary  list  of  the  significant  findings 

•  The  preliminary  root  causes 

•  The  next  steps  in  the  safety  survey  process  (i.e.,  root  cause 
analysis,  risk  impact  of  findings,  prioritizing  findings,  and 
safety  survey  report) 

•  A  schedule  for  when  the  safety  survey  report  will  be  finished 
and  submitted  to  the  unit 

•  A  discussion  on  the  contents  of  the  safety  survey  report 
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Step  5.B 


Document  findings  in  a  report  and  database 


^  Safety  survey  report 

y  Shortly  after  the  safety  survey,  a  brief  written  report  documenting 

the  safety  survey  results  should  be  presented  to  the  unit  com¬ 
mand.  The  report  should  Include  the  following  information: 

•  Prioritized  list  of  findings  with  a  suggested  order  to  resolve 
the  findings 

•  Explanation  of  the  findings,  including  number  of  instances 
and  unit  location 

•  Root  causes  of  the  findings 

•  Global  implications  of  the  findings 

•  Any  additional  information  the  survey  team  sees  fit  to  convey 

I  Findings  database 

The  survey  team  should  document  the  findings  in  a  findings 
database  (e.g.,  HCN  database).  For  example,  the  following 
information  could  be  recorded  about  each  finding: 

•  Unit  class  and  unit 

•  Date  of  finding 

•  Associated  requirement/evaluation  point 

•  Risk  impact  category  of  finding 

•  Individual  responsible  for  resolution  of  finding 

•  Target  resolution  date 
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Step  5.C 


Work  with  unit  commands  to  assign  responsibilities  and 
target  resolution  dates 


It  is  up  to  unit  commands  to  resolve  the  findings  in  a  timely 
manner;  ho>vever,  the  survey  team  plays  an  integral  part  in  the 
resolution. 


Different  unit  commands  may  choose  to  assign  responsibilities 
and  target  resolution  dates  in  various  ways.  It  is  typically  out  of 
the  survey  team's  control  to  make  assignments.  Hov/ever,  the 
survey  team  can  suggest  guidelines  for  establishing  target 
resolution  dates  such  as  in  the  table  below. 


Risk  Impact 

Guidance^ 

High^ 

Resolve  at  earliest  convenient  time  within  a  1*month  period 

Medium 

Resolve  at  earliest  convenient  time  within  a  6>month  period 

Low 

Resolve  at  earliest  convenient  time  within  a  12-month  period 

Very  Low 

Resolve  at  earliest  convenient  time  before  the  next  safety  survey 

^  Items  may  be  resolved  by  permanent  corrective  actions  or  temporary  mitigative  actions  until  a  more 
permanent  action  can  be  implemented. 

2  Some  items  may  require  immediate  attention  before  (or  shortiy  after)  the  safety  survey  ends. 
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Step  5.D  Track  resolution  of  findings 


The  survey  team  should  v/ork  v/ith  the  unit  command  to  track 
the  findings  until  resolution. 


Finding 

# 

Finding 

Planned 

Resolution 

Risk  Impact 

Target 

Resolution 

Date 

Status 

Completed 

Date 

F001 

No  record  of 
preventive 
maintenance  of 
hoses  and 
disconnects 

Perform 

maintenance 

Develop 
preventive 
maintenance 
plan  for  hoses 
and  disconnects 

Low 

4/13/97 

4/27/97 

Maintenance 

performed 

Writing  plan 

5/4/97 

F002 

No  sewage  CHI 
operating 
instructions 
posted  in  the 
sewage  space 

Post  instructions 

Low 

4/2/97 

instructions 

posted 

4/2/97 
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The  IRA  Risk-based  Safety  Survey 


■  Introduction 

■  Performing  a  risk-based  safety  survey 


■  Maintaining  the  risk-based  safety  survey 
process 


■  Information  exchange  between  the  risk-based 
safety  survey  and  the  coarse  hazard  analysis 

■  Using  the  risk-based  safety  survey  to  update 
the  coarse  hazard  analysis 

■  Making  decisions  using  the  IRA  risk-based 
safety  survey 


Maintaining  the  Risk-based  Safety  Survey  Process 

Several  maintenance  activities  must  be  performed  on  the  safety 
survey  process  to  ensure  that  the  process  is  continually  improv¬ 
ing  and  remains  effective  as  unit  risks  change.  As  the  safety 
survey  process  matures,  the  survey  results  are  used  to  continu¬ 
ally  improve  the  effectiveness  of  the  process.  The  process  relies 
on  historical  safety  survey  information  to  improve  the  accuracy 
of  measures  of  risk  and  risk  rankings.  Also,  Coast  Guard  unit 
configurations,  operations,  and  personnel  are  continuously 
being  changed  {e.g.,  the  addition  of  a  waste  incinerator,  new 
limitations  on  boarding  operations,  reduction  in  force  on  a 
class  of  cutters);  each  of  these  changes  affects  unit  risk.  The 
safety  survey  must  be  adaptive  to  change  to  effectively  manage 
unit  risk. 
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1.  Adding/ 
modifying/deleting  | 
reqs/evaluation 
points 


2.  Relating  reqs/ 
evaluation  points 
and  deviations 


3.  Updating  the 
]  risk  significance  of 
reqs/evaiuation 
points 


4.  Developing  a 
safety  survey 
schedule 


5.  Improving  the 
safety  survey 
process 


Overview  of  the  Activities  for  Mointaining  the  Rish- 
based  Safety  Survey  Process 

This  section  outlines  the  activities  for  maintaining  the  risk-based 
safety  survey  process. 

1.  Adding/modifying/deleting  reqnirements/evalnatioit  points 

Often  it  is  necessary  to  add/modify/delete  requirements/evalua¬ 
tion  points  to  improve  the  results  of  the  safety  survey  process  and 
to  ensure  that  issues  with  high  risk  significance  are  effectively 
surveyed. 

2.  Updating  relationships  between  reqnirements/evalnation 
points  and  deviations 

The  key  to  determining  the  risk  significance  of  evaluation 
points  is  the  relationship  between  evaluation  points  and  coarse 
hazard  analysis  deviations.  Each  requirement/evaluation  point 
should  be  associated  with  one  or  more  deviations. 
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3.  Updating  the  risk  significance  of  reqnirements/evalnation 
points 

The  risk  significance  of  the  requirements/evaluation  points 
helps  to  plan  a  safety  survey  in  which  resources  are  efficiently 
and  effectively  used. 

4.  Developing  a  safety  survey  schedule 

A  safety  survey  schedule  provides  a  systematic  means  to  assess 
requirements/evaluation  points  proportional  to  their  associated 
risk  significance  while  ensuring  that  all  requirements/evalua¬ 
tion  points  are  assessed  over  a  period  of  time. 

5.  Improving  the  safety  survey  process 

Continually  Improving  the  process  as  it  matures  will  help  it  run 
more  smoothly  and  be  more  effective  In  controlling  risk. 
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1.  Adding/ 
modifying/ 
deleting  reqs/ 
evaluation  points 


2.  Relating  reqs/ 
evaluation  points 
and  deviations 


3.  Updating  the 
risk  significance  of  | 
reqs/evaluation 
points 


4.  Developing  a 
safety  survey 
schedule 


5.  Improving  the 
safety  survey 
process 


Step  1 


Adding/Modifying/Deleting  Requirements/Evalnation 
Points 

Occasionally,  it  will  be  necessary  to  add,  modify,  or  delete  a 
requirement/evaluation  point.  The  following  are  five  typical 
reasons  for  making  changes  to  the  set  of  safety  survey  require¬ 
ments/evaluation  points. 


Due  to  hazard  analysis  (coarse  and  detailed)  recommendations 

Hazard  analysis  results  may  reveal  the  need  for  additional  safe¬ 
guards  to  manage  risk  due  to  a  change  in  unit  configuration, 
operation,  or  personnel.  These  safeguards  may  require 
(whether  regulatory  driven  or  Coast  Guard  management 
driven)  evaluation  points  to  assess  their  effectiveness.  Also,  a 
low  risk  characterization  coupled  with  a  lack  of  survey  findings 
may  suggest  that  an  evaluation  point  is  not  needed  for  a 
particular  issue  and  the  evaluation  point  could  be  deleted. 

Dne  to  regnlatory  requirements 

The  addition/modification/deletion  of  Coast  Guard  regulatory 
requirements  will  change  the  set  of  requirements/evaluation 
points  in  a  safety  survey. 
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Due  to  MISREP/CASBEP  data 

Historical  MISREP/CASREP  (mishaps)  data  may  reveal  the  need  for 
additional  requirements  (safeguards)  to  prevent  or  mitigate' 
mishaps.  Evaluation  points  will  be  developed  to  ensure  the  imple¬ 
mentation  of  the  requirements.  Also,  MISREP/CASREP  data  may 
reveal  the  need  for  a  modification  to  requirements/evaluation 
points  to  prevent  or  mitigate  mishaps. 

Dne  to  safety  surveys 

During  the  safety  survey  (and  from  the  results),  the  survey  team 
may  believe  that  evaluation  points  are  not  stated  accurately 
enough  to  thoroughly  assess  the  critical  issues  or  an  evaluation 
point(s)  may  be  missing  for  a  critical  issue(s).  The  survey  team 
should  work  to  improve  the  survey  by  adding  or  modifying  re¬ 
quirements/evaluation  points.  Also,  the  lack  of  survey  findings 
coupled  with  a  low  risk  characterization  from  the  hazard  analysis 
may  suggest  that  an  evaluation  point  is  not  needed  for  a  particu¬ 
lar  issue  and  the  evaluation  point  could  be  deleted. 

Dne  to  unit  command  or  Coast  Gnard  management 

Unit  commands  or  Coast  Guard  management  may  decide  that 
certain  issues  warrant  additional  evaluation  points.  The  follow¬ 
ing  are  reasons  they  may  have  for  adding  evaluation  points: 

*  An  unacceptable  number  of  findings  or  mishaps  surrounding  an 
issue  (at  the  unit  or  other  units) 

*  Inexperience  of  unit  personnel  with  a  certain  issue  (e.g.,  type 
of  hardware,  type  of  chemical,  unit  operation) 

*  Change  in  unit  configuration,  operation,  or  personnel 


Note: 

Often,  a  requirement  has  not  changed  but  an  evaluation 
point  may  need  to  be  reworded  to  improve  its  effectiveness  in 
assessing  the  requirement. 
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3.  Updating  the 
risk  significance  of 
reqs/evaiuation 
points 


4.  Developing  a 
safety  survey 
schedule 


A.  Associate  req/ 
evaluation  points 
with  functions 


B.  Determine 
which  deviations 
are  applicable 


C.  Associate 
deviations  with 
operations/ 
evolutions 


5.  Improving  the 
safety  sun/ey 
process 


Step  2  Relating  Requirements/Evaluation  Points  and 
Deviations 

All  requirements/evaluation  points  should  be  correlated  to  one  or 
more  coarse  hazard  analysis  deviations.  This  correlation  pro¬ 
vides  the  means  to  risk  rank  the  requirements/evaluation 
points,  risk  rank  survey  findings,  and  update  the  coarse  hazard 
analysis  using  the  safety  survey  results. 
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Step  2.A  Associate  requirements/evaluation  points  with  unit 
functions 


Requirement 

Evaluation  Point 

Vessel  Function 

COMDTINST  M9000.6B 

is  a  thorough  davit  and  boat  hoist 
installation  inspection  conducted  annually  in 
conjunction  with  the  boat  hull  inspection, 
and  are  the  results  recorded  in  the  cutter's 
hull  history? 

Operating  lifting 
equipment 

COMDTINST  M9000.6B 

Have  helicopter  deck  tiedown  fittings  been 
given  a  certified  pull  test,  and  are  records 
available  upon  request  and  recorded  in  the 
hull  history  log? 

Operating  lifting 
equipment 

NSTM  5837.5 

Are  slings  designed  for  a  specific  boat  only 
used  to  lift  that  type  of  boat? 

Operating  lifting 
equipment 

NSTM  5837.5  * 

Are  slings  taken  out  of  service  when  signs 
of  deterioration  are  noted? 

Operating  lifting 
equipment 
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Step  2.B  Determine  which  deviation(s)  within  the  function  is 
applicable  to  the  requirement 


Evaluation  Point  Vessel  Function 

is  a  thorough  davit  and  boat  hoist  Opemting  lifting 
installation  inspection  conducted  equipment 

annually  in  conjunction  with  the  boat 
hull  inspection,  and  are  the  results 
recorded  in  the  cutter's  hull  history? 

Have  the  helicopter  deck  tie-down  Operating  lifting 

fittings  been  given  a  certified  pull  equipment 

test,  and  are  records  available  upon 
request  and  recorded  in  the  hull 
history  log? 

Are  slings  designed  for  a  specific  Operating  lifting 
boat  only  used  to  lift  that  type  of  equipment 
boat? 

Are  slings  taken  out  of  service  when  Operating  lifting 
signs  of  deterioration  are  noted?  equipment 


Note: 


This  provides  a  correlation  that  will  be  refined  in  the  next 
step.  The  deviation  must  also  be  associated  with  one  or  more 
operations/evolutions. 
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Deviation 
Loss  of  support 


Loss  of  support 


Loss  of  support 


Loss  of  support 
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Step  2.C  Eliminate  the  requirements  that  do  not  apply  to  the 
deviation  when  the  deviation  is  associated  with  an 
operation/evolution 


Operation/ 

Evolution 


Vessel  Function  Deviation  Requirement 


Small  boat  Operating  lifting 

launch/recovery  equipment 
from  vessel 


COMDTINST 

M9000.6B 


Evaluation  Point 


Is  a  thorough  davit  and  boat 
hoist  installation  inspection 
conducted  annually  in 
conjunction  with  the  boat  hull 
inspection,  and  are  the  results 
recorded  in  the  cutter's  hull 
history? 


Operating  lifting 
equipment 

Loss  of 
support 

NSTM  583.7.5 

Are  slings  designed  for  a  specific 
boat  only  used  to  lift  that  type  of 
boat? 

Operating  lifting 

Loss  of 

NSTM  583.7.5 

Are  slings  taken  out  of  service 

equipment 

support 

when  signs  of  deterioration  are 
noted? 

Note: 

Remember  that  a  deviation  within  the  coarse  hazard  analysis 
is  defined  by  its  associated  function  and  operation/evolution. 
A  requirement  that  may  apply  to  a  deviation  during  towing 
may  not  apply  to  the  same  deviation  during  helicopter 
operations. 
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Step  3 


Updating  the  Risk  Significance  of  Requirements/ 
Evaluation  Points 

Risk  ranking  requirements/evaluation  points  provides  a  means  for 
planning  a  safety  survey.  Requirements/evaluation  points  are 
risk  ranked  using  a  relative  measure  of  risk  called  risk  signifi¬ 
cance.  The  risk  significance  is  determined  by  calculating  the 
risk  contribution  and  risk  sensitivity  of  the  requirement/evalua¬ 
tion  point.  The  requirements/evaluation  points  are  risk  ranked 
by  their  risk  significance.  This  risk  ranking  ensures  that  safety 
survey  efforts  are  only  reduced  for  those  evaluation  points  that 
have  both  (1)  a  low  risk  contribution  and  (2)  a  low  risk  sensitiv¬ 
ity.  The  following  sections  explain  the  processes  required  to 
determine  risk  contribution,  risk  sensitivity,  and  risk  signifi¬ 
cance. 
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1.  Adding/ 

I  modifying/deleting 
reqs/evaiuation 
points 


2.  Relating  reqs/ 
evaluation  points 
and  deviations 


3.  Updating  the 
risk  significance 
of  reqs/ 

evaluation  points 


A.  Determine  the 
risk  contribution 


A.1  Determine  the  risk 
contribution  based  on  the 
coane  hazard  analysis 


4.  Developing  a 
safety  sunrey 
schedule 


5.  Improving  the 
safety  sunrey 
process 


I 


B,  Determine  the 
risk  sensitivity 


A.2  Determine  the  risk 
contribution  based  on  past 
mishaps 


C.  Determine  the 
risk  significance 


A.3  Determine  the 
overall  risk  contribution 


Step  3  Jl 


Determine  the  risk  contribution 


Risk  contribution  —  the  fraction  of  total  unit  risk  for  which 
deficiencies  associated  with  a  requirement/evaluation  point  are 
contributors 


Risk  contribution  of  a  requirement/evaluation  point  is  deter¬ 
mined  based  on  (1)  coarse  hazard  analysis  results  and  (2) 
investigation  of  past  mishaps. 


Note: 

Both  means  should  be  used  to  determine  risk  contribution. 
However,  if  there  is  a  lack  of  information,  using  only  one 
means  is  acceptable. 


Steps  to  determine  the  risk  contribution 

3. A.1  Determine  the  risk  contribution  based  on  the  coarse 
hazard  analysis 

3.A.2  Determine  the  risk  contribution  based  on  past  mishaps 
3. A.3  Determine  the  overall  risk  contribution 
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Step  3  JLl  Determine  the  risk  contribution  based  on  coarse  hazard 
analysis  results 

Identify  the  deviations  associated  with  a  requirement/evalua¬ 
tion  point  and  sum  the  risk  contribution  of  the  deviations. 


Requirement 

Evaiuation  Point 

Deviation 

(Operation/Evolution 

Function 

Deviation) 

Risk 

Contribution 

NSTM  5533-2.1.3 

G002 

Not  operation/evolution  specific 

Providing  potabie  water  services 

Potable  water  quality  problems 

0.052 

Total  Risk  Contribution 

0.052 

COMDTINST 

M6240.4A, 

Ch.  3-F-1 
thru  3-F-3  and 

12-A 

H043 

Not  operation/evolution  specific 

Providing  food  services 

Inadequate/no  food  service 

0.0005 

Not  operation/evolution  specific 

Providing  food  services 

Food  quality  problem 

0.0005 

Not  operation/evoiution  specific 

Providing  food  services 

Biological  hazards  exposure 

0.0005 

Total  Risk  Contribution 

0.0015 

Using  the  following  table,  determine  the  risk  contribution 
importance  based  on  coarse  hazard  analysis  results. 


Risk  Contribution 
Importance 


High 


Medium 


Low 


Description 


Requirement/evaluation  point  with  risk  contribution  ^0.1 


Requirement/evaluation  point  with  risk  contribution  2!  0.01  and  <0.1 


Requirement/evaluation  point  with  risk  contribution  <0.01 


Example 

•  Risk  contribution  importance  of  G002  =  Medium 

•  Risk  contribution  importance  of  H043  =  Low 
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Step  3  JL2 


Determine  the  risk  contribution  of  o  requirement/evaluation 
point  bosed  on  past  mishaps 


Identify  the  mishaps  associated  with  a  requirement/evaluation 
point. 


Requirement 

Evaluation 

Point 

Actual  Mishap 

Date 

Mishap  Category 

NSTM  553-2.13 

G002 

Seaman  used  the  potable  water 
hose  to  pump  water  from  the 
bilge.  Potable  water  hose  was 
replaced 

3/14/95 

D 

Seaman  used  wrong  hose  to 
replenish  the  potable  water 
system.  Subsequently,  13 
seaman  were  admitted  to  the 
hospital  for  illness 

11/3/93 

A/B 

COMDTINST 

M6240.4A. 

Ch.  3-F1  thru 
3-F-3  and  12-A 

H043 

Food  service  personnel 
improperly  stored  a  shipment  of 
beef.  Subsequently,  the  entire 
shipment  spoiled  and  was  thrown 
out 

6/28/95 

C 

Calculate  the  risk  contribution. 

ZA  /  B  Events  .  x  1 00  + 

Evaluation  point  as  contnbutor 

ZC  Events  x  1 0  + 

Evaluation  point  as  contnbutor 

y'  D  Events 

Evaluation  point  as  contnbutor 

^  A  /  B  Eventsjotai  x  1 00  +  ^  C  Eventsxo,oi  x  1 0  +  ^  D  Eventsjo,o, 


Example 

•  Total  A/B  events  =  5 

•  Total  C  events  =  7 

•  Total  D  events  =  23 

Risk  contribution  of  G002  based  on  past  mishaps 
((1  xlOO)  +  (0x10)  +  l)/593  =  0.17 
Risk  contribution  of  H043  based  on  past  mishaps 
({0  X  100)  +  (1  X  10)  +  0)/593  =  0.017 


Using  the  following  table,  determine  the  risk  contribution 
importance  based  on  past  mishaps. 


1  1 

Risk  Contribution 
Importance 

Description 

High 

Requirement/evaluation  point  with  risk  contribution  ^  0.1 

Medium 

Requirement/evaiuation  point  with  risk  contribution  ^  0.01  and  <0.1 

Low 

Requirement/evaluation  point  with  risk  contribution  <0.01 

Example 

•  Risk  contribution  importance  of  G002  =  High 

•  Risk  contribution  importance  of  H043  =  Medium 
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Step  3.A.3 


Determine  the  overall  risk  contribution  of  a  requirement/ 
evaluation  point 


Evaluation 

Point 

Risk  Contribution  Based 
on  Coarse  Hazard  Analysis 

Risk  Contribution  Based 
on  Past  Mishaps 

Risk 

Contribution 

G002 

Medium 

High 

High 

H043 

Low 

Medium 

Medium 

The  overall  risk  contribution  is  the  highest  level  of  importance 
identified  based  on  coarse  hazard  analysis  results  and  past  mis¬ 
haps.  As  demonstrated  in  the  table,  evaluation  point  G002  has  a 
coarse  hazard  analysis-based  risk  contribution  of  Medium  and 
a  past  mishap-based  risk  contribution  of  High.  Thus,  G002's 
risk  contribution  is  High. 
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Step  3.B 


Determine  the  risk  sensitivity 


Risk  sensitivity  —  the  change  in  total  unit  risk  with  a  change  in 
the  dependability  of  a  safeguard  (requirement/evaluation  point) 


Risk  sensitivity  analysis  of  a  requirement/evaluation  point 
(safeguard)  is  necessary  due  to  the  inherent  uncertainty  in 
determining  risk  contribution.  Risk  sensitivity  is  a  relative  mea¬ 
sure  of  the  impact  that  the  degradation  of  a  safeguard  (re- 
quirement/evaluation  point)  has  on  total  unit  risk.  Risk 
sensitivity  provides  insight  into  how  risk  contribution  might 
change  if  a  safeguard  were  a  little  more,  or  a  little  less,  de¬ 
pendable  than  estimated  in  the  coarse  hazard  analysis.  If  the 
safeguard  reliability  information  used  to  determine  the  risk 
associated  with  a  deviation  was  1 00%  accurate,  there  would  be 
no  need  for  risk  sensitivity  analysis. 


The  analysis  assigns  a  risk  sensitivity  (High,  Medium,  or  Low)  to 
a  requirement/evaluation  point  by  observing  the  types  of 
findings  associated  with  the  requirement/evaluation  point  over 
time.  A  requirement/evaluation  point  that  produces  High  or 
Medium  findings  the  majority  of  the  time  will  most  likely  have  a 
High  risk  sensitivity.  Risk  sensitivity  is  used  with  risk  contribution 
to  determine  overall  risk  significance. 
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Steps  to  determine  the  risk  sensitivity 

3.B.1  Identify  findings  in  risk  impact  categories  associated 
with  requirements/evaluation  points 

3.B.2  Calculate  the  percentage  of  time  a  finding  resulted  in 
each  category 

3.B.3  Score  the  spectrum  of  risk  impacts 

3.B.4  Add  the  scores  and  determine  the  risk  sensitivity 
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Step  3.B.1  Identify  the  number  of  findings  in  each  risk  impact  category 


Risk-based  Safety  Surveys 


Maintaining  the  Survey  Process 


Step  3.B.2 


Calculate  the  percentage  of  time  a  finding  associated  with  a 
reqnirement/evaluation  point  resulted  in  eoch  risk  impact 
category 


Requirement 

Evaluation  Point 

Percentage  of  Time  a  Finding  Associated 
with  a  Requirement/Evaluation  Point 
Resulted  in  Each  Risk  Impact  Category 

Very  Low 

Low 

Medium 

High 

NSTM  553-2,1.3 

G002 

22% 

0% 

22% 

56% 

COMDTINST 
M6240.4A.  Ch.  3-F-1 
thru  3-F-3  and  12-A 

H043 

66% 

22% 

11% 

0% 

Example 

From  the  table  in  Step  1 ,  there  have  been  a  total  of  nine 
findings  recorded  for  G002.  The  percentages  in  the  table 
above  are  calculated  by  dividing  the  number  of  findings  in 
a  category  by  the  total  number  of  findings.  The  percent¬ 
ages  for  G002  are  calculated  as  follov/s: 

Very  Low  2/9  =  0.22  22% 

Low  0/9  =  0  0% 

Medium  2/9  =  0.22  22% 

High  5/9  =  0.56  56% 
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Step  3.B.3 


Score  the  spectrum  of  risk  impacts  lor  eoch  requirement/ 
evaluation  point 


Use  the  percentages  from  Step  2  to  identify  a  score  for  each 
risk  impact  category  using  the  table  below. 


Percentage  of  Time  that  the  Findings 
Associated  with  a  Requirement/ 
Evaiuation  Point  Resulted  in  the  Listed 
Risk  Impact  Categories 

Risk  Impact  Score 
for  Categories  of  Findings 

Very  Low 

Low 

Medium 

High 

80%  to  100% 

o.or 

1 

20 

50 

10%  to  80% 

0 

0.8 

16 

40 

>0%  to  10% 

0 

0.1 

2 

5 

0% 

0 

0 

0 

0 

*  Scores  (relative  weights)  used  for  assessing  risk  sensitivity  of  requirement/evaluation  points 


Example 

For  G002, 
Very  Low  0 
Low  0 

Medium  1 6 
High  40 
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Step  3.B.4  Add  the  scores  ond  determine  the  risk  sensitivity 

□  ^^®^®s«mifivHy  low  ^  ScorSijp^  +  Score^jjyj^  +  ScorSi^jg^ 


Method  for  Categorizing  Risk  Sensitivity  of  Requirements/Evaluation  Points 

Risk  Sensitivity 

Description 

High 

Requirements/evaluation  points  with  a  risk  sensitivity  score  of  ^  20 

Medium 

Requirements/evaluation  points  with  a  risk  sensitivity  score  of  ^  1  and  >  20 

Low 

Requirements/evaiuation  points  with  a  risk  sensitivity  score  of  <  1 

Example 
For  G002 

mSensHMty  =  0  +  0+16  +  40 
Score  =  56 

Using  the  table  above,  risk  sensitivity  of  G002  is  High. 
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3.  Updating  the 
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evaluation  points 


4.  Developing  a 
safety  survey 
schedule 


i 


C.  Determine  the 
risk  significance 


Step3.C 


Determine  the  risk  significance 


Risk  significance  of  a  requirement/evaluation  point  —  a 
weighting  of  each  requirement/evaluafion  point  based  on  mul¬ 
tiple  measures  of  risk  importance. 


Risk  significance  is  a  function  of  risk  contribution  and  risk 
sensitivity. 


Risk  significance  of  requirements/evaluation  points  is  based  on 
risk  contribution  and  is  assigned  as  High,  Medium,  or  Low.  If  risk 
sensitivity  is  low,  the  risk  significance  is  the  same  as  the  risk 
contribution.  However,  when  risk  sensitivity  is  greater,  adjust¬ 
ments  to  the  risk  contribution  ratings  are  made  (as  shown  in  the 
table  below)  to  assign  risk  significance. 


Risk  Sensitivity 
Importance 

Increase  in  Contribution-based  Importance  to 

Establish  the  Risk  Significance  of  Evaluation  Points 

High 

Two  categories  (e.g.,  Low  risk  contribution  becomes  High  risk  significance) 

Medium 

One  categories  (e.g.,  Low  risk  contribution  becomes  Medium  risk  significance) 

Low 

No  change  (e.g.,  Low  risk  contribution  becomes  Low  risk  significance) 

Example 


Requirement/ 
Evaluation  Point 

Risk  importance 

Risk  Significance 

Risk  Contribution 

Risk  Sensitivity 

G002 

High 

High 

High 

H043 

Medium 

Medium 

High 
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Step  4 


□ 


□ 


Developing  a  Safety  Survey  Schedule 

The  goal  of  developing  a  risk-based  safety  survey  schedule  is  to 
maintain  appropriate  control  of  risk  while  using  limited  survey 
resources  most  efficiently.  Fewer  resources  means  it  will  be  diffi¬ 
cult  to  assess  the  growing  number  of  requirements/evaluation 
points  during  each  safety  survey.  The  solution  is  to  reduce  the  set 
of  evaluation  points  reviewed  during  a  survey  by  reviewing  evalu¬ 
ation  points  at  a  frequency  proportional  to  their  risk  significance. 
This  is  accomplished  by  developing  different  survey  intensities  or 
safety  survey  levels,  as  shown  in  the  table  below,  and  applying  a 
different  survey  level  each  time  a  vessel  is  surveyed. 


Survey  Level 

Description 

1 

Assess  in  detail  all  evaluation  points  (within  subject  matter  scope)  listed  as 

High,  Medium,  or  Low  risk  significance 

2 

Assess  in  detail  all  evaluation  points  (within  subject  matter  scope)  listed  as 
Medium  or  High  risk  significance 

3 

Assess  in  detail  all  evaluation  points  (within  subject  matter  scope)  listed  as 

High  risk  significance 
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Note: 

When  planning  the  safety  survey,  it  is  important  to  be  flexible 
and  include  requirements/evaluation  points  or  issues  that 
warrant  attention,  but  are  not  included  in  the  safety  survey 
level  that  is  scheduled 


These  survey  levels  are  incorporated  into  a  schedule  such  as 
the  one  below.  The  schedule  below  is  on  a  3-year  cycle. 


Coast  Guard  Asset 

Year1 

Year  2 

Year  3 

Year  4 

etc... 

Vessel  Class  1 

Level  1 

Level  2 

Level  3 

Level  1 

Vessel  Class  2 

Level  3 

Level  1 

Level  2 

Level  3 

etc... 

The  different  levels  of  a  safety  survey  and  a  schedule  such  as 
the  one  above  assesses  high  risk  issues  (requirements/evalua- 
tion  points)  on  a  regular  basis  (every  time  a  survey  is  per¬ 
formed),  medium  risk  issues  on  a  less  frequent  basis  (fewer 
review  cycles),  and  low  risk  issues  on  an  even  less  frequent 
basis. 
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Step  5 


Improving  the  Safety  Survey  Process 


The  mechanics  and  performance  of  the  safety  survey  process 
should  continually  improve  as  it  matures.  Safety  survey  teams 
should  continually  look  for  ways  to  tweak  the  process  to  make 
It  run  more  smoothly  and  be  more  effective  in  managing  risk. 
The  following  are  several  ways  survey  teams  can  strive  to  im¬ 
prove  the  process: 


•  Look  for  ways  to  have  less  of  an  impact  on  a  unit  during  a 
survey,  but  still  remain  effective 

•  Review  the  survey  activities  and  results  after  a  survey  is  per¬ 
formed,  brainstorm  ways  to  improve  the  effectiveness  of  the 
survey,  implement  the  ideas  on  the  next  survey,  and  compare 
the  results 

•  Ask  unit  personnel  about  the  perceived  benefits  and  draw¬ 
backs  of  the  safety  survey  process 

•  Look  for  improvements  in  the  wording  of  evaluation  points  to 
make  them  clear  and  effective  in  assessing  the  intent  of  the 
associated  requirement(s) 
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Information  Exchange 


The  IRA  Risk-based  Safety  Survey 

■  introduction 

■  Performing  a  risk-based  safety  survey 

■  Maintaining  the  risk-based  safety  survey 
process 


■  Information  exchange  between  the  risk-based 
safety  survey  and  the  coarse  hazard  analysis 


■  Using  the  risk-based  safety  survey  to  update 
the  coarse  hazard  analysis 

■  Making  decisions  using  the  IRA  risk-based 
safety  survey 


Informotion  Exchange  Between  the  Risk-based  Safety 
Survey  and  the  Coarse  Hazard  Analysis 


List  of  Coast  Guard  safeguards 


Dspsndability  of  safeguards 


- 

<r  Risk  characterization  of  deviations 

<  Risk-based  reconvnendations  for 
modifying  requirements 

<  Risk-based  recommendations  for 
modifying  evaiuation  points 


Safeguards  identified  In 
the  hazard  analysis 


Risk-based  Safety  Survey  Coarse  Hazard  Analysis 

7.  List  of  Coast  Guard  safeguards 

The  requirements  within  the  safety  surveys  define  how  the 
Coast  Guard  will  implement  safeguards  to  prevent  mis¬ 
haps.  These  requirements  and  safeguards  provide  the  bases 
for  coarse  hazard  analysis  teams  to  judge  whether  the  risk 
of  possible  deviations  is  acceptable. 
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2.  Information  about  the  dependability  of  safeguards 

Summaries  of  frequencies/severities  of  nonconformances 
from  Coast  Guard  requirements  during  past  surveys  help 
hazard  analysis  teams  judge  the  dependability  of  safe¬ 
guards  in  preventing  mishaps. 

Coarse  Hazard  Analysis  ■=>  Risk-based  Safety  Survey 

7.  Risk  characterization  of  deviations 

The  safety  survey  process  uses  the  risk  characterization  of 
deviations  to  characterize  survey  findings.  By  trending  find¬ 
ings,  the  dependability  of  safeguards  can  be  analyzed.  It  may 
be  necessary  to  adjust  the  risk  scores  associated  with  cer¬ 
tain  deviations  to  reflect  the  historical  safeguard  informa¬ 
tion  from  the  safety  surveys. 

2.  Risk-based  recommendations  for  adding/modifying/deleting 
requirements  or  evaluation  points 

While  evaluating  possible  deviations  that  may  lead  to  mis¬ 
haps,  coarse  hazard  analysis  teams  may  identify  that  a 
Coast  Guard  requirement  should  be  (1)  added  to  provide 
an  additional  safeguard  or  to  make  an  existing  safeguard 
more  effective,  (2)  modified  to  make  an  existing  safeguard 
more  effective  or  its  implementation  less  burdensome,  and/ 
or  (3)  eliminated  because  of  marginal  (or  no)  benefit. 

3.  Required  safeguards  identified  during  the  coarse  hazard 
analysis 

The  coarse  hazard  analysis  identifies  safeguards  necessary  to 
achieve  an  acceptable  level  of  risk.  Requirements  and  evalua¬ 
tion  points  ensure  that  these  safeguards  are  effectively 
performing  their  design  intent.  Evaluation  points  may  be 
needed  to  assess  important  safeguards  that  are  not  even 
actual  requirements  (and,  therefore,  are  not  currently  in 
evaluation  point  checklists). 


Coast  Guard  IRA  Manual 


8-59 


Risk-based  Safety  Surveys 
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The  IRA  Risk-based  Safety  Survey 

■  Introduction 

■  Performing  a  risk-based  safety  survey 

■  Maintaining  the  risk-based  safety  survey 
process 

■  Information  exchange  between  the  risk-based 
safety  survey  and  the  coarse  hazard  analysis 


■  Using  the  risk-based  safety  survey  to  update 
the  coarse  hazard  analysis 


■  Making  decisions  using  the  IRA  risk-based 
safety  survey 

^  Using  the  Risk-based  Safety  Survey  to  Update  the 
_ J  Coarse  Hazard  Analysis 

The  safety  survey  process  can  assist  in  updating  the  deviation 
risk  scores  in  the  coarse  hazard  analysis  under  two  circum¬ 
stances:  (1)  during  a  periodic  coarse  hazard  analysis  update 
and  (2)  when  historical  safety  survey  data  provide  evidence 
that  the  risk  score  of  a  deviation  should  be  reviewed. 

Regardless  of  the  circumstance,  the  method  used  is  the  same. 
The  safety  survey  process  catalogs  information  about  past 
deficiencies  and  provides  insight  into  the  dependability  of 
various  loss  prevention  safeguards  over  a  period  of  time. 
Occasionally,  it  is  necessary  to  reevaluate  the  risk  characteriza¬ 
tions  of  deviations  in  the  coarse  hazard  analysis  because  the 
safeguards  are  less  dependable  than  was  thought  during  the 
analysis. 

Findings  with  high  risk  impacts  indicate  how  undependable  a 
safeguard  (requirement/evaluation  point)  has  become.  The 
coarse  hazard  analysis  assumed  that  safeguards  met  their 
design  intent  and  were  reasonably  dependable. 

Findings  data  can  be  used  to  identify  deviations  requiring 
review  by  analyzing  the  percentage  of  time  a  finding  associ¬ 
ated  with  a  requirement/evaluation  point  results  in  each  risk 
impact  category. 
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Updating  the  Coarse  Hazard  Analyses 


Requirement 

Evaluation  Point 

Percentage  of  Time  a  Finding  Associated  with  a 
Requirement/Evaluation  Point  Resulted  in 

Each  Risk  Impact  Category 

Very  Low 

Low 

Medium 

High 

NSTM  553-2.1.3 

G002 

8% 

0% 

8% 

20% 

COMDTINST 

M6240.4A, 

Ch.  3-F-1  thru  3- 
F-3  and  12-A 

H043 

40% 

13% 

6% 

0% 

The  percentages  are  calculated  by  dividing  the  number  of 
findings  in  each  risk  impact  category  by  the  total  number  of 
times  an  evaluation  point  is  surveyed. 

Example 

Evaluation  point  G002  has  been  surveyed  25  times.  Find¬ 
ings  are  as  follov/s: 

Very  lov/  =  2 
Low  =  0 
Medium  =  2 
High  =  5 

Percentages  for  G002  are  calculated  as  follows: 


Very  low  =  2/25 

=  0,08 

8% 

Low  =  0/25 

=  0 

0% 

Medium  =  2/25 

=  0.08 

8% 

High  =  5/25 

=  0.2 

20% 

This  information  may  indicate  the  need  to  update  the  risk 
profiles  in  the  coarse  hazard  analysis  or  could  be  used  when 
periodically  updating  the  coarse  hazard  analysis. 
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Making  Decisions 


The  IRA  Risk-based  Safety  Survey 

■  Introduction 

■  Performing  a  risk-based  safety  survey 

■  Maintaining  the  risk-based  safety  survey 
process 

■  Information  exchange  between  the  risk-based 
safety  survey  and  the  coarse  hazard  analysis 

■  Using  the  risk-based  safety  survey  to  update 
the  coarse  hazard  analysis 


■  Making  decisions  using  the  IRA  risk-based 
safety  survey 


Making  Decisions  Using  the  IRA  Risk-based  Safety 
Survey 

The  IRA  risk-based  safety  survey  results  allow  decision  makers 
to  incorporate  risk-based  information  into  the  Coast  Guard 
decision-making  process.  This  section  describes  the  ways  Coast 
Guard  decision  makers  use  the  hazard  analysis  results. 

The  following  Coast  Guard  decision  makers  use  these  results: 

•  Engineering  managers 

•  Facilities  managers 

•  Unit  commands 

•  Unit  safety  managers 

•  Senior  management 

Hazard  analysis  results  are  used  in  the  following  Coast  Guard 
activities: 

•  Unit  operations  and  maintenance 

•  Area,  district,  or  group  management  of  operations  and 
maintenance 

•  Decommissioning 

Only  the  activities  that  are  applicable  to  a  specific  decision  maker 
are  listed.  For  each  activity,  a  table  provides  typical  uses  of  the 
risk-based  safety  survey  that  support  the  activity,  example  out¬ 
comes  from  using  the  safety  survey,  and  the  applicable  safety 
survey  results  required  to  achieve  the  outcome. 
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Type  of  Activity 

Decision 

Maker 

Use  of  the  Safety 
Survey  Results 

Example  Outcome 

Applicable  Safety 
Survey  Results 

Vessel  Operations 
and  Maintenance 

Engineering 

Managers 

Facilities  Managers 

Vessel  Commands 

Identification  of  weaknesses  in 
procedures  that  coutd  lead  to 
losses  of  interest  (case-by- 
case  basis  for  procedures 
developed  and  approved  by 
vessel-board  personnel) 

Revising  vague  steps  of  a 
procedure  (e.g.,  "open  the 
valve  slightly"),  because  a 
human  error  associated  with 
the  operation  could  lead  to  a 
loss  of  interest 

Root  cause  analysis  of 
findings 

Vessel  Safety 
Managers 

Area,  District,  or 
Group 

Management  of 
Operations  and 
Maintenance 

Engineering 

Managers 

Facilities  Managers 

Vessel  Safety 
Managers 

Senior 

Management 

Identification  of  design 
weaknesses,  safe  operating 
limits,  critical  preventive 
maintenance  tasks,  human 
factors  issues,  etc.,  for 
selected  systems  (i.e.,  those 
that  could  lead  to  losses  of 
interest)  aboard  existing  ships 
that  did  not  receive  such 
reviews  before  being  placed  in 
operation 

1.  Recommendations  for  side- 
scanning  sonar  to  detect 
submerged  objects  for 
cutters  traveling  around 
reefs 

2.  Recommending  redesign  of 
a  small  craft  launching 
system  component  that 
could  inadvertently  trigger  a 
release  of  a  boat 

Root  cause  analysis  of 
findings 

Identification  of  safe  operating 
limits  (from  an  operations/ 
command  perspective  rather 
than  a  hardware  system 
design  perspective,  which  was 
addressed  during  design 
reviews)  and  preferred 
precautions  to  be  taken  If 
operating  outside  of  such 
restrictions 

Prohibiting  aircraft  fueling 
operations  and  other 
flammable  material  handling 
activities  until  disabled 
onboard  firefighting  systems 
are  returned  to  service,  but 
allowing  emergency  fueling 
operations  if  another  onboard 
pump  can  be  rigged  to 
temporarily  provide  adequate 
firefighting  capability 

Root  cause  analysis  of 
findings 

Identification  of  critical  training 
topics,  necessary  standard 
procedures,  etc.,  for  preventing 
losses  of  interest 

Deciding  to  write  a  special 
procedure  and  conduct  special 
training  for  the  proper  way  to 
launch  a  new  t^e  of  small 
craft  (because  the  operation  is 
significantly  different  from 
similar  operations  with  older 
small  craft) 

Root  cause  analysis  of 
findings 

Identification  of  weaknesses  in 
procedures  and  human  factors 
Issues  that  could  lead  to  losses 
of  interest  (for  standard 
procedures  applicable  to  a 
class  of  vessels  or  the  entire 
fleet) 

Making  the  units  of  pressure 
referenced  in  a  procedure 
(e.g.,  SI  units)  consistent  with 
those  commonly  used  aboard 
a  vessel  and  on  the  vessel's 
gauges  (e.g.,  English  units)  to 
help  prevent  confusion  that 
could  lead  to  an  operating 
error 

Root  cause  analysis  of 
findings 
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Type  of  Activity 

Decision 

Maker 

Use  of  the  Safety 
Survey  Results 

Example  Outcomes 

Applicable  Safety 
Survey  Results 

Area,  District,  or 
Group 

Management  of 
Operations  and 
Maintenance 
(continued) 

Engineering 

Managers 

Facilities  Managers 

Vessel  Safety 
Managers 

Senior 

Management 

Assigning  measures  of 
importance  to  safety  inspection 
items  to  help  prioritize 
responses  to  noted 
deficiencies 

Deferring  resolution  of  a  few 
defidendes  noted  during  a 
safety  inspection  until  next 
fiscal  year  because  the 
defidendes  do  not  pose  any 
significant  risks  of  losses 

1 .  Risk  ranking  of 
requirements/evaluation 
points 

2.  Risk  ranking  of  findings 
assodated  with  the  issue 

Decommissioning 

Facilities  Managers 

Senior 

Management 

Identification  of  weaknesses  in 
equipment  used  for 
decommissioning  and 
assodated  procedures  that 
could  lead  to  losses  of  interest 

Modifying  the  equipment  and 
procedures  used  to  de¬ 
inventory  hazardous  materials 
from  a  vessel  white  the  vessel 
is  being  decommissioned 

Root  cause  analysis  of 
findings 
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Functions,  and  Deviations 


Operations/Evolutions,  Functions, ... 


Introduction 


Section  9  contains  the  following  information: 

1 .  Operations/Evolutions  —  The  current  list  of  Coast  Guard 
operations/evolutions  for  vessels  and  shore  facilities 

2.  Functions  and  Deviations  —  The  current  list  of  Coast 
Guard  functions  and  deviations  for  vessels  and  shore  facili¬ 
ties 

3.  Guide  to  Functions  —  A  table  of  example  activities  that  are 
within  the  scope  and  outside  the  scope  of  each  function 

4.  Guide  to  Deviations  —  A  table  providing  the  purpose  of 
each  deviation  and  example  issues  related  to  each  deviation 

5.  Example  Operation/Evolution  and  Function  Matrices  — 
Example  matrices  for  vessel,  integrated  Support  Command 
(ISC),  and  Marine  Safety  Office  (MSO) 
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1.  Operations/Evolntions  — 1/1/98 

Vessel 

The  operations/evolutions  listed  below  constitute  the  complete 
set  of  operations/evolutions  for  all  Coast  Guard  vessels.  The 
operations/evolutions  applicable  to  a  specific  vessel  will  depend 
on  the  vessel  type  and  its  mission(s). 

•  Working  aids  to  navigation 

•  Towing 

•  Boarding 

•  Damage  control  —  fire 

•  Damage  control  —  flood 

•  Helicopter  operations 

•  Fueling  —  pier  side 

•  Fueling  —  underway  replenishment 

•  Small  boat  launch/recovery  —  from  vessel 

•  Small  boat  launch/recovery  —  from  land 

•  Anchored/moored/stored 

•  Vessel  leaving/returning 

•  Vessel  in  transit/restricted  waters 

•  Launch/recover  swimmers/divers 

•  Not  operation/evolution  specific  (includes  open-water 
maneuvering) 

Shore  —  ISC 

The  operations/evolutions  listed  below  constitute  the  complete 
set  of  operations/evolutions  for  all  Coast  Guard  ISC  opera¬ 
tions.  The  operations/evolutions  applicable  to  a  specific  ISC  will 
depend  on  its  mission(s). 

•  Pier  services 

•  Industrial  services 

•  Base  services 

Shore  —  MSO 

The  operations/evolutions  listed  below  constitute  a  sample  set 
of  operations/evolutions  for  Coast  Guard  MSO  operations.  The 
operations/evolutions  applicable  to  a  specific  MSO  will  depend 
on  its  mission  (s). 

•  Letter  of  Compliance  inspections 

•  Overseas  inspections 

•  Deep  draft  inspections  —  dry  dock 

•  Poilution  response  (active  and  passive) 

•  Barge  inspections 

•  Container  inspections 

•  Waterfront  facility  inspections 

_ *  Port  security  operations _ 


9-4 


Coast  Guard  IRA  Manual 


Operations/Evolutions,  Functions, ... 


Functions  ond  Deviations 


2.  Functions  ond  Deviations  —  1/1/98 

The  functions  and  deviations  listed  below  are  applicable  to 
vessels  and  shore  facilities  unless  otherwise  indicated  (e.g.,  ISC 
only,  MSO  and  ISC  only) 

Note:  The  set  of  deviations  in  bold  type  under  the  first  function 
are  the  standard  set  of  deviations  applicable  to  all  functions. 

Operating  vessels/craSt 

•  Vessel/craft  unavailable 

•  Incorrect  position/direction/speed 

•  Vessel/craft  fails  to  maintain  position 

•  Vessel  struck  by  floating  object 

•  Vessel  impacts  submerged  object 

•  Vessel  struck  by  another  vessel 

•  Physical  hazards  exposure 

•  Toxic/corrosive/reactive  materials  exposure 

•  Fire/explosion 

•  Asphyxiant  environment  exposure 

•  Electrical  hazards  exposure 

•  High  pressure  materials  exposure 

•  High  noise  exposure 

•  Excessive  vibration  exposure 

•  Radiation  exposure 

•  Biological  hazards  exposure 

•  Hot/cold  environments  exposure 

•  Hot/coid  surfaces/materiais  exposure 

Operating  aireraii  (in-tiigbt  and  ground  operations):  vessel  ond 
MSO  only 

•  Aircraft  unavailable 

•  Incorrect  position/direction/power/speed 

•  Aircraft  fails  to  maintain  position 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Operating  powered  vebieles  (imeks,  ears,  mobile  cremes, 
iorkUHs,  e/e:,//ISC  and  MSO  only 

•  Vehicle  unavailable 

•  Incorrect  position/direction/speed 

•  Vehicle  fails  to  maintain  position 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 
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Operations/Evolutions 


Operating  btittd-opertMled  moving  equipment  (doIUes,  carts,  etc.) 

•  Equipment  unavailable 

•  Incorrect  position/direction/power/speed 

•  Equipment  fails  to  maintain  position 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Operating  lilting  equipment 

•  Lifting  equipment  unavailable 

•  Loss  of  support 

•  Incorrect  load  position/direction/speed 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Operating  deck  equipment  (excluding  small  boat  davit/crane); 
vessel  only 

•  Deck  equipment  unavailable 

•  Loss  of  line  support 

•  Incorrect  direction/speed 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Providing/maintadning  structures  (buildings,  piers,  vessels, 
craii):  ISC  and  vessel  only 

•  Excessive  static  structural  loading 

•  Excessive  dynamic  structural  loading 

•  Structural  degradation 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Operating  industrial  systems/equipmeut;  ISC  and  vessel  only 

•  System/equipment  unavailable 

•  Poor  quality  products/service/operations 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Operating  latge  caliber  weapons/  ISC  and  vessel  only 

•  inoperable  weapons 

•  Inadvertent  firing 

•  Firing  live  ammunition  instead  of  blanks 

•  Firing  at  the  wrong  target/position 

■  Standard  set  of  deviations  (listed  under  vessels/craft) 

Operating  small  caliber  weapons  and  other  weapons 

•  Inoperable  weapons 

•  Inadvertent  firing 

•  Inadvertent  actuation  of  nonfirearm  weapon  (mace,  stun 
gun,  etc.) 

•  Firing  live  ammunition  instead  of  blanks 

•  Firing  at  the  wrong  target/position 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 
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Functions  and  Deidations 


Providinff  eleeiromc  systems  services;  ISC  and  vessel  only 

•  Inadequate/no  electronic  systems  service 

•  Electronic  systems  service  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Providing  electrical  power  services;  ISC  and  vessel  only 
■  Inadequate/no  electrical  power  service 

•  Incorrect  electrical  power  frequency/voltage/phase 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Providing  fueling  services;  ISC  and  vessel  only 

•  Inadequate/no  fueling  services 

•  Fuel  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Providing  ballasting;  vessel  only 

•  Inadequate/no  ballasting 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Providing  flood  control  services;  vessel  only 

•  Inadequate/no  flood  control 

•  Flood  control  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Providing  potable  water  services;  ISC  and  vessel  only 

•  Inadequate/no  potable  water 

•  Potable  water  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Providing  drainage  services;  ISC  ond  vessel  only 

•  Inadequate/no  drainage  system 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Providing  beating/ventilation/edr  conditioiung  (HVAC)  services; 
ISC  and  vessel  only 

•  inadequate/no  HVAC 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Providing  trash  removed  services;  ISC  and  vessel  only 

•  Inadequate/no  trash  removal 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Providing  compressed  air  services;  ISC  and  vessel  only 

•  Inadequate/no  compressed  air 

•  Compressed  air  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Providing  compressed  gas  services;  ISC  and  vessel  only 

•  Inadequate/no  compressed  gases 

•  Compressed  gas  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 
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Operations/Evolutions 


Providing  sewage  services;  ISC  cntd  vessel  only 

•  Inadequate/no  sewage  services 

•  Effluent  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Providing  iood  services;  ISC  and  vessel  only 

•  inadequate/no  food  services 

•  Food  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Providing  berthing  services;  ISC  and  vessel  only 

•  Inadequate/no  berthing  services 

•  Berthing  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Providing  laundry  services;  vessel  only 

•  Inadequate/no  laundry  services 

•  Laundry  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Providing  steam  services;  ISC  and  vessel  only 

•  Inadequate/no  steam  services 

•  Steam  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Providing  medical  services;  ISC  and  vessel  only 

•  Inadequate/no  medical  services 

•  Medical  service  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Providing  recreation  services;  ISC  and  vessel  only 

•  Inadequate/no  recreation  services 

•  Recreation  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Providing  administrative  services 

•  Inadequate/no  administrative  services 

•  Administrative  services  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Providing  warebonsing  services;  ISC  and  vessel  only 

•  Inadequate/no  warehousing  service 

•  Warehousing  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Providing  Ore  services;  ISC  and  vessel  only 

•  Inadequate/no  fire  services 

•  Fire  service  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 
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Functions  and  Deviations 


Providing  seeuriig  serviees;  ISC  and  vessel  only 

•  Inadequate/no  security  services 

•  Security  service  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Providing  assessment/invesdgation/eoordination  serviees 

•  Inadequate/no  assessment/investigation/coordination 

•  Assessment/investigation/coordination  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Inspecting  propulsion  maebinery  and  diesels;  MSO  only 

•  Inadequate/no  inspection  services 

•  Inspection  service  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Inspecting  steering  equipment;  MSO  only 

•  Inadequate/no  inspection  services 

•  Inspection  service  quality  problem 

•  Standard  set  of  deviations  (listed  under  vesseis/craft) 

Inspecting  boilers  and  pressure  vessels;  MSO  only 

•  Inadequate/no  inspection  services 

•  Inspection  service  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Inspecting  anxilitny  macItinerY/sYstems;  MSO  only 

•  Inadequate/no  inspection  services 

•  Inspection  service  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Inspecting  electrical  systems;  MSO  only 

•  Inadequate/no  inspection  services 

•  Inspection  service  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Inspecting  tire  protection  equipment;  MSO  only 

•  Inadequate/no  inspection  services 

•  Inspection  service  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Inspecting  Uiesaving  equipment;  MSO  only 

•  Inadequate/no  inspection  services 

•  Inspection  service  quality  problem 

•  Standard  set  of  deviations  (listed  under  vesseis/craft) 

Inspecting  emergency  equipment;  MSO  only 

•  Inadequate/no  inspection  services 

•  Inspection  service  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 
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Ogerations/Eirolution^^ 


Operations/Evolutions 


Inspeeling  pollution  prevention  systems/eqnipment;  MSO  only 

•  Inadequate/no  inspection  services 

•  Inspection  service  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Jttspeetinff  navigatiott  equipment;  MSO  only 

•  Inadequate/no  inspection  services 

•  Inspection  service  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Inspecting  ground  tackle;  MSO  only 

•  Inadequate/no  inspection  services 

•  Inspection  service  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Inspecting  deck  equipment;  MSO  only 

•  Inadequate/no  inspection  services 

•  Inspection  service  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Inspecting  structures:  kuU  and  waterdgkt  integrity;  MSO  only 

•  Inadequate/no  inspection  services 

•  Inspection  service  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Inspecting  structures:  knil — extemai;  MSO  only 

•  inadequate/no  inspection  services 

•  Inspection  service  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Inspecting  stmedures:  shore  iacUities;  MSO  only 

•  Inadequate/no  inspection  services 

•  Inspection  service  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Inspecting  accommodations;  MSO  only 

•  Inadequate/no  inspection  services 

•  inspection  service  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Inspeeding  cargo  handling,  storage,  ballasting,  and  bunkering; 
MSO  only 

•  Inadequate/no  inspection  services 

•  Inspection  service  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 

Inspecting  cargo  pump  rooms;  MSO  only 

•  Inadequate/no  inspection  services 

•  Inspection  service  quality  problem 

•  Standard  set  of  deviations  (listed  under  vessels/craft) 
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3.  Guide  to  Functions  —  1/1/98 


Function 

Within  Scope 

Outside  Scope 

Operating  vessels/ 
craft 

Operating/maintaining  engines 
Operating/maintaining  thrusters 
Operating/maintaining  steering 
systems 

Navigation  and  bridge  functions 

Operating/maintaining  support 
systems  for  those  systems 
listed  to  the  left  (addressed 
individually  in  subsequent 
functions) 

Operating  aircraft  (in¬ 
flight  and  ground 
operations) 

Operating/traveling  in  aircraft 
Operating  tow  tractors  for  moving 
aircraft  on  the  ground 

Rolling  helos  into  or  out  of  hangars 
Maintaining  helos 

Providing  ground  support  during 
take-offs  and  iandinqs 

Operating  powered 
vehicles 

Operating/maintaining/traveling  in 
trucks,  cars,  mobile  cranes, 
forklifts,  etc. 

Operating/maintaining/traveling  in 
vessels  or  aircraft  (addressed  in 
analyses  of  aircraft  or  vessel 
operations) 

Lifting  objects  with  a  mobile  crane 
or  forktruck  (addressed  in 
analyses  of  lifting  equipment 
operations) 

Operating  hand- 
operated  moving 
equipment 

Operating/maintaining  dollies, 
carts,  etc. 

Operating/maintaining  powered 
lifting  equipment  such  as 
forklifts,  cranes,  and  elevators 
(addressed  in  separate  lifting 
equipment  function) 

Rolling  helos  into/out  of  hangars 
(addressed  in  the  ground 
transportation  aspects  of 
operating  aircraft) 

Operating  lifting 
equipment 

Operating/maintaining  powered 
lifting  equipment  such  as 
forklifts,  cranes,  elevators,  etc. 

Operating/maintaining  manual 
lifting  gear  such  as  "corne- 
alongs,"  chain  falls,  and  manual 
lifting  tackle 

Driving  the  mobile  crane  or 
forktruck  around  (addressed  in 
analyses  of  powered  vehicle 
operations) 

Operating  deck 
equipment 

Operating/maintaining  capstans, 
winches,  etc. 

Operating  hand-held  tools  used  on 
deck 

Operating  lifting  equipment  (such 
as  the  small  boat  cranes  and 
davits)  or  guns  on  deck 
(addressed  in  separate  lifting 
and  weapons  functions) 

Providing/maintaining 
structures  (buildings, 
piers,  vessels,  craft, 
etc.) 

Structural  integrity  of  buildings, 
vessels,  piers,  etc. 

Maintaining  structural  elements  of 
buildings,  vessels,  piers,  etc. 

Operating/maintaining  support 
systems  for  the  structures  listed 
to  the  left  (addressed 
individually  in  subsequent 
functions) 
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Function 

Within  Scope 

Outside  Scope 

Operating  industrial 
systems/equipment 

Operating/maintaining  equipment 
(such  as  welding  equipment  anc 
drill  presses)  in  maintenance 
shops 

Operating/maintaining  portable 
equipment  (such  as  welding 
equipment,  cutting  machines, 
etc.)  at  remote  locations 

Operating/maintaining  support 
systems  for  buildings/vessels 
(addressed  individually  in  other 
functions) 

Operating  lifting  equipment  in 
conjunction  with  industrial 
systems/equipment  (addressed 
in  the  lifting  equipment  function) 

Operating  large  calibei 
weapons 

Firing  large  caliber  weapons 
Maintaining  large  caliber  weapons 
Storing/transferring  large  caliber 
ammunition 

Operating  small  caliber  weapons 
(handguns,  rifles,  shotguns, 
mace,  etc.)  (addressed  in  the 
small  caliber  weapons  function) 

Operating  small 
caliber  weapons  and 
other  weapons 

Operating/maintaining  small 
caliber  weapons  and  other 
weapons  (handguns,  rifles, 
shotguns,  mace,  etc.) 

Storing/transferring  small  caliber 
weapons  and  other  weapons 

Operating  large  caliber  weapons 
(addressed  in  the  large  caliber 
weapons  function) 

Providing  electronic 
services 

Operating/maintaining  radars 
Operating/maintaining  radios  and 
other  communications  systems 
(including  satellite  systems) 
Operating/maintaining  guidance 
and  positioning  systems 

Operating  electrical  power 
systems  (addressed  in  the 
electrical  power  services 
function) 

Providing  electrical 
power  services 

Operating/maintaining  generators 
Operating/maintaining  distribution 
systems  (cables,  circuit 
breakers,  etc.) 

Operating/maintaining  shore  ties 

Operating  electronic  systems 
(addressed  in  the  electronic 
services  function) 

Using  electrical  power  for  various 
equipment  such  as  industrial 
machines,  hand  tools,  HVAC 
equipment,  lifting  equipment, 
etc.  (addressed  in  the  functions) 

Providing  fueling 
services 

Operating/maintaining  fuel  tanks 
Operating/maintaining  distribution 
piping 

Operating/maintaining  equipment 
for  replenishing  fuel  supplies 

Using  fuel  associated  with  various 
equipment  such  as  engines, 
generators,  boilers,  helos, 
industrial  machines,  vehicles, 
pumps,  etc.  (addressed  in  the 
functions  associated  with  this 
equipment) 

Storage  of  small  gasoline 
containers  (addressed  in  the 
warehousing  function) 

Providing  ballasting 
services 

Operating/maintaining  ballast 
tanks 

Operating/maintaining  ballast 
piping  system 

Operating/maintaining  support 
systems  for  buildings/vessels 
(addressed  individually  in  other 
functions) 

Operating  lifting  equipment  in 
conjunction  with  industrial 
systems/equipment  (addressed 
in  the  lifting  equipment  function) 
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Function 

Within  Scope 

Providing  flood  control 
services 

Operating/maintaining  emergency 
pumping  gear  and  flooding 
containment  gear 
Providing/maintaining  watertight 
compartments/doors 

Providing  potabie 
water 

Operating/maintaining  potable  ' 

water 

Operating/maintaining  desalinatior 
equipment 

Operating/maintaining  distribution 
piping 

Operating/maintaining  equipment 
for  repienishing  potable  water 
supplies 

Providing  drainage 
services 

Operating/maintaining  biige 
systems 

Operating/maintaining  deck, 
compartment,  building,  and 
parking  lot  drains 

Providing  heating, 
ventilating,  air 
conditioning  services 

Operating/maintaining  HVAC 
systems 

Providing  trash 
removal  services 

Operating/maintaining  incinerators 
Storing/handiing  waste  materials 

Providing  compressed 
air  services 

Operating/maintaining  air 
compressors 

Operating/maintaining  distribution 
piping 

Providing  compressed 
gas  services 

Storing/using/maintaining 
compressed  gas  cyiinders 

Providing  sewage 
services 

Operating/maintaining  the  sewage 
tanks 

Operating/maintaining  the  sewage 
collection  piping 

Operating/maintaining  equipment 
for  transferring  sewage  from  the 
vessei 

Providing  food 
services 

Food  procurement  function 

Food  storage  (including 
refrigerators  and  freezers) 

Food  preparation  and  dispensing 
Operating/maintaining/cleaning 
galley  equipment 

Sanitizing  eating  utensils,  plates, 
pots,  and  pans 

Outside  Scope 


Operating  small  caliber  weapons 
(handguns,  rifles,  shotguns, 
mace,  etc.)  (addressed  in  the 
small  caliber  weapons  function) 


Use  of  emergency  pumping  gear 
for  emergency  flood  control 
(addressed  in  flood  control 
services) 


Operating  lifting  equipment  to 
transfer  waste  materials  to 
shore  (addressed  in  lifting 
equipment  function) 


Use  of  compressed  air  cylinders 
(addressed  in  the  compressed 
gas  services  function) 


Use  of  potable  water  in  food 
services  applications,  steam 
system,  laundry  services, 
sewage  services,  medical 
services,  etc.  (addressed  in  the 
various  functions  for  these 
activities) 


Food  not  served  by  crew  (catered 
food,  food  consumed  off  site, 
food  obtained/stored  by 
individuais) 
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Function 

Within  Scope 

Providing  berthing 
services 

Providing/maintaining  living 
quarters  (including  bunks) 
Providing/maintaining  shower/ 
toilet  facilities 

Providing  laundry 
services 

Operating/maintaining  washers, 
dryers,  etc. 

Providing  steam 
services 

Operating/maintaining  boilers 
Operating/maintaining  steam 
distribution  piping 

Providing  medical 
services 

Medical  examinations/care 
Storing/dispensing  medicine 
Storing/disposing  of  medical 
wastes 

Providing  recreational 
services 

Operating/maintaining  recreationa 
gear 

Performing  recreational  activities 

Providing 

administrative  servicei 

Operating/maintaining  office 
equipment 

Performing  office  duties 

Providing  warehousing 
services 

Storing/distributing  equipment  and 
other  materials 

Providing  fire  services 

Operating/maintaining  fixed  fire 
protection  systems  (halon, 

AFFF,  water  sprinklers) 

Operating/maintaining  hose 
systems 

Operating/maintaining  fire 
extinguishers  (PKP,  chemical, 
water) 

Operating/maintaining  emergency 
portable  fire  pump/hose  system: 

Providing  security 
services 

Standing  security-related  watches 
Dealing  with  security  issues 
(confronting  trespassers, 
subduing  assailants,  etc.) 

Providing  assessment 
investigation/ 
coordination  services 

Standing  watches 

Performing  rounds 

Conducting  specific  audits, 
examinations,  and  evaluations 

Inspecting . . .  (specify 
item  to  be  inspected); 
MSO  inspection 
functions 

Conducting  specific  audits, 
inspections,  and  examinations 
of  systems,  equipment, 
structures,  etc. 

Outside  Scope 


Providing  potable  water 
(addressed  in  potable  water 
services  function) 


water,  ammunition,  food, 
medical  supplies,  or  trash 
(addressed  in  separate  function 
related  to  use  of  those 


other  weapons  (addressed  in  th 
small  weapons  function) 
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4.  Guide  to  Deviations  —  1/1/98 


Deviation 

Purpose 

Examples  of  Issues 

Related  to  Deviation 
{shown  as  Deviation  {function)] 

{Function}  unavailable 

Explores  potential  mishaps 
resulting  from  a  loss  of  functionality 
(complete  or  partially  degraded 
capability) 

Vessel/craft  unavailable  {operating 
vessels/craft):  Loss  of  mission 
capability 

Inadequate/no  flood  control 
{providing  flood  control  services): 
Flooding  of  vessel  compartment 

{Function}  quality 
problem 

Explores  potential  mishaps 
resulting  from  upsets  in  delivery  of 
a  function  (i.e.,  ^ilures  to  meet 
specific  performance  criteria,  given 
that  the  function  is  occurring) 

Incorrect  position/direction/speed 
{operating  vessels/craff): 

Collision  or  grounding  of  vessel 
Potable  water  quality  problem 
{providing  potable  water 
services):  Exposure  of  crew  to 
biological  hazards 

Firing  live  ammunition  instead  of 
blanks  {operating  large  caliber 
weapons):  Potential  personnel/ 
public  injury 

Physical  hazards 

Explores  how  personnel  could  be 
injured  or  equipment  damaged  in 
the  routine  performance  of  th  2 
function 

Physical  hazards  {operating  deck 
equipment):  Physical  injury 
caused  by  a  hand  caught  in  a 
winch 

Physical  hazards  {providing  food 
services):  Physical  injury  caused 
by  cuts  from  sharp  knives  and 
food  preparation  equipment 

Toxic/corrosive/ 
reactive  materials 
exposure 

Explores  how  personnel  could  be 
injured  or  equipment  damaged 
from  exposure  to  hazardous 
materials  during  routine 
performance  of  the  function 

Toxic/corrosive/reactive  materials 
exposure  {providing  laundry 
services):  Personnel  exposure 
caused  by  splashing  of  bleach 
into  a  crew  member’s  eyes 
Toxic/corrosive/reactive  materials 
exposure  {providing  steam 
services):  Personnel  exposure 
resulting  from  handling  of 
insulation  containing  asbestos 
during  maintenance  of  steam 
pipes 
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Deviation 

Purpose 

Examples  of  Issues 

Related  to  Deviation 
[shown  as  Deviation  {function)] 

Fire/explosion 

Explores  how  personnel  could  be 
injured  or  equipment  damaged 
from  a  fire/explosion  during  routine 
performance  of  the  function 

Fire/explosion  {providing  fueling 
services):  Fire  caused  by  ignition 
of  fuel  spill  that  occurs  during 
fueling  of  a  vessel 

Fire/explosion  {providing  electrical 
power  services):  Explosion 
caused  by  ignition  of  hydrogen 
that  evolves  from  battery 
charging 

Asphyxiating 
environment  exposure 

Explores  how  personnel  could  be 
placed  in  an  asphyxiating 
environment  during  routine 
performance  of  the  function 

Asphyxiating  environment 
exposure  {providing  HVAC 
services):  Asphyxiation  of  a  crew 
member  in  a  space  with  limited 
natural  ventilation 

Asphyxiating  environment 
exposure  {providing  fire 
services):  Asphyxiation  of  a  crew 
member  in  a  space  protected  by 
a  halon  system 

Electrical  hazards 
exposure 

Explores  how  personnel  could  be 
injured  or  equipment  damaged 
from  eiectricity  during  routine 
perfOb  mance  of  the  function 

Electrical  hazards  exposure 
{providing  electrical  power 
services):  Person  electrocuted 
from  contact  with  a  high  voltage 
circuit  breaker 

Electrical  hazards  exposure 
{providing  electronic  services): 
Sensitive  equipment  damage  by 
a  power  supply  surge 

Electrical  hazards  exposure 
{operating  industrial  equipment/ 
machines):  Person  electrocuted 
because  of  an  internal  short  in  a 
motor  that  was  not  well- 
grounded 

High  pressure 
materials  exposure 

Explores  how  personnel  could  be 
injured  or  equipment  damaged 
from  a  release  of  high  pressure 
materials  during  routine 
performance  of  the  function 

High  pressure  materials  exposure 
{providing  compressed  gas 
services):  Person  injured  or 
equipment  damaged  by  escaping 
gas  from  a  compressed  gas 
cylinder  failure 
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Deviation 

Purpose 

Examples  of  Issues 

Related  to  Deviation 
[shown  as  Deviation  (function)] 

High  noise  exposure 

Explores  how  personnel  could  be 
injured  in  a  high  noise  environment 
during  routine  performance  of  the 
function 

High  noise  exposure  (operating 
vesseis/crak):  Hearing  damage 
for  person  stationed  in 
compartment  adjacent  to  engine 
room  while  the  vessel  is 
underway 

High  noise  exposure  (operating 
iarge  caiiber  weapons):  Hearing 
damage  from  person  not  wearing 
ear  protection  on  deck  when 
weapons  are  being  fired 

Excessive  vibration 
exposure 

Explores  how  personnel  could  be 
injured  or  equipment  damaged 
from  excessive  vibration  during 
routine  performance  of  the  function 

Excessive  vibration  exposure 
(operating  vesseis/craff):  Fatigue 
damage  to  equipment  adjacent 
to  the  engines  caused  by 
vibration  from  the  engines 

Radiation  exposure 

Explores  how  personnel  could  be 
injured  or  equipment  damaged 
from  radiation  during  routine 
performance  of  the  function 

Radiation  exposure  (providing 
eiectronic  systems  services): 
Exposure  of  maintenance 
technician  to  energized  radar 
while  working  aloft 

Biological  hazards 
exposure 

Explores  how  personnel  could  be 
injured  from  biological  organisms 
during  routine  performance  of  the 
function 

Biological  hazards  exposure 
(providing  food  services): 
Exposure  of  crew  to 
inadequately  cooked  meat 
Biological  hazards  exposure 
(providing  sewage  services): 
Exposure  of  crew  member  to 
organisms  while  maintaining 
sewage  system 

Hot/cold  environments 
exposure 

Explores  how  personnel  could  be 
injured  or  equipment  damaged 
from  hot/cold  environments  during 
routine  performance  of  the  function 

Hot/cold  environments  exposure 
(operating  deck  equipment): 
Frostbite  for  crew  member  while 
working  on  deck  in  cold  weather 

Hot/cold  surfaces/ 
materials  exposure 

Explores  how  personnel  could  be 
injured  or  equipment  damaged 
from  hot/cold  surfaces/materials 
during  routine  performance  of  the 
function 

Hot/cold  surfaces/materials 
exposure  (providing  steam 
services):  Thermal  bums  for 
crew  member  caused  by  a  failed 
steam  line 

Coast  Guard  IRA  Manual 


9-17 


Vessel  Operation/Evolution 


Operations/Evolutions,  Functions, ... 


Example  Matricejs 


Vessel  operations/evolntions  and  hinetion  motrix 


(BuueAnaueuj  jate/w 
uado  Bujpnpu!) 
oijiaads  uopnioAa 
/uopejado  )on 


SJaAfp/sjauituiMS 

jaAoaaj/i{3unE-| 


sjajeM  papufsaj 
/)!suej}  u|  lassaA 


Bumjntaj 
/BuiAcai  lassaA 


pajo)s 

/paJooui/pajot|3uv 


puei 

luojj  -  XjaAOoaj 

/M3une|  )eoq  iieuus 


lassaA 
uioj|  - /jaAooaj 
/qounei  )eoq  iieuis 


)uauii|S!ua|daj 
AeMjapun  -  Bunanj 


ap|s  jaid  -  Buiian  j 


suopejado 

ja)do3!|aH 


poop 

-  |OJ)uo3  aBeuiea 


ajp 

-  |OJ)uo3  aBeuiea 


Bujpjeog 


Buimoi 


uopeBfAeu 
o)  spie  Bu!)|jo/w 


•2-^'  I 

is  t 

§■2  ® 
TD  S  0» 

c  5  -S 

m  ifc 

O)  c  o> 
.c  0)  .c 

1 .1  5 

a>  5  a> 

0“  ©  O' 


O)  c:  O) 

.S  ®  .S 

g.a  e 

0)  5  0) 

0^0 


.S  53  .c: 
!t3  8  ^ 
‘5  *5  S 

Q.  <0  CL 


55  ^  c 

.S  o 

^  ^ 

:S  CD  ^ 

Q)  ^  2 

^  <0  o 

'C  -Q  «C: 
0)0)0) 
c  .c  ,c 

5  S  ."B 
S  8  S 

CL  CL  CL 


<D  p 
to  .O 


o  O) 

S  2 

CD  -S 

a  X) 
O)  O) 
.2  .2 
:t3  ?3 

CL  CL 


9-18 


Coast  Guord  IRA  Manual 


Vessel  Operation/Evolution 


Operations/Evolutions,  Functions, ... 


Example  Matrices 


Coast  Guard  IRA  Manual 


Providing  assessment/investigation/ 
coordination  services 


Operations/Evolutions^  Functions, 


Example  Matrices 


ISC  operations/evolntions  and  innction  matrix 


ISC  Function 


ISC  Operation/Evolution 


Operating  vessels/craft 


Operating  aircraft  (in-flight  and 
ground  operations) 


Operating  powered  vehicles  (trucks, 
cars,  mobile  cranes,  foddifts,  etc.) 


Operating  hand-operated  moving 
equipment  (dollies,  carts,  etc.) 


Operating  lifting  equipment 


Providing/maintaining  structures 
(buildings,  piers,  vessels,  craft) 


Operating  industrial  systems/ 
equipment 


Operating  large  caliber  weapons 


Operating  small  caliber  weapons  and 
other  weapons 


Providing  electronic  systems 
services 


Providing  electrical  power  services 


Providing  fueling  services 


Providing  potable  water  services 


Providing  drainage  services 


Providing  heating/ventilating/air 
conditioning  (HVAC)  services 


Providing  trash  removal  services 


Providing  compressed  air  services 


Providing  compressed  gas  services 


Providing  sewage  services 


Providing  food  services 


Providing  berthing  services 
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MSO  operatioms/evolittions  and  innetion  matrix 


MSO  Operation/Evolution 


MSO  Function 


Operating  vessels/craft 


Operating  aircraft  (in-flight  and 
ground  operations) 


Operating  powered  vehicles  (trucks, 
cars,  mobile  cranes,  forklifts,  etc.) 


Operating  hand-operated  moving 
equipment  (dollies,  carts,  etc.) 


Operating  lifting  equipment 


Providing  administrative  services 


Providing  assessment/investigation/ 
coordination  services 


Inspecting  propulsion  machinery 
and  diesels 


Inspecting  steering  equipment 


Inspecting  boilers  and  pressure 
vessels 


Inspecting  auxiliary  machinery/ 
systems 


Inspecting  electrical  systems 


Inspecting  fire  protection  equipment 


Inspecting  lifesaving  equipment 


Inspecting  emergency  equipment 


Inspecting  pollution  prevention 
systems/equipment 


Inspecting  navigation  equipment 


Inspecting  ground  tackle 
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